Google Cloud Digital Leader (GCDL) — Questions 451507

507 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQmedium

A company's analytics team wants to enable business users to create their own reports and dashboards from a governed set of BigQuery data, without writing SQL. At the same time, the data engineering team must maintain centralized control over how key metrics (like 'revenue' or 'active users') are defined. Which Google Cloud product architecture best meets both requirements?

A.Looker Studio connected directly to BigQuery, allowing each business user to create their own metric definitions
B.Looker with LookML semantic layer: data engineers centrally govern metric definitions in LookML, business users create self-service reports through Looker's interface using those governed definitions — no SQL required
C.Sharing BigQuery query templates with business users and training them to modify them for their reports
D.Building a custom web application that wraps BigQuery APIs and presents data to business users
AnswerB

Looker's LookML semantic layer is precisely designed for this dual requirement. Engineers write LookML once; it becomes the source of truth for metric definitions. Business users explore and report using a visual interface that always queries through LookML — guaranteed consistency, no SQL needed.

Why this answer

Option B is correct because Looker with LookML provides a semantic layer where data engineers centrally define governed metric definitions (e.g., 'revenue' as SUM(price * quantity) with specific filters). Business users can then create self-service reports and dashboards via Looker's drag-and-drop interface without writing SQL, ensuring consistency and control over key metrics.

Exam trap

The trap here is that candidates may think Looker Studio (formerly Data Studio) is sufficient for self-service reporting, but they overlook the critical requirement for a governed semantic layer (LookML) to enforce centralized metric definitions, which Looker Studio alone does not provide.

How to eliminate wrong answers

Option A is wrong because Looker Studio connected directly to BigQuery allows each business user to create their own metric definitions, which violates the requirement for centralized control over how key metrics are defined. Option C is wrong because sharing BigQuery query templates and training users to modify them still requires users to write or edit SQL, and it does not provide a governed semantic layer to enforce consistent metric definitions. Option D is wrong because building a custom web application that wraps BigQuery APIs is a heavy engineering effort that duplicates functionality already provided by Looker's semantic layer, and it does not inherently enforce centralized metric governance without additional custom logic.

452
MCQmedium

A company uses Google Cloud and wants to understand their monthly cloud spend before the invoice arrives, track spending trends, and identify the top cost drivers across all services. Which built-in Google Cloud tool provides this visibility?

A.Cloud Monitoring dashboards with cost metrics.
B.Cloud Billing reports and cost breakdown in the Billing console.
C.Cloud Asset Inventory — it lists all resources and their costs.
D.Google Cloud pricing calculator — it shows estimated costs.
AnswerB

The Cloud Billing console provides pre-built reports: cost by service, cost by project, cost over time, and spend forecasts. Billing export to BigQuery enables deeper custom analysis.

Why this answer

Cloud Billing reports and cost breakdown in the Billing console provide built-in, out-of-the-box visibility into monthly spend before the invoice arrives, spending trends, and top cost drivers across all services. This tool aggregates billing data from all projects and services, allowing you to filter by time range, project, service, or SKU, and view cost trends and breakdowns without additional configuration.

Exam trap

Cisco often tests the misconception that Cloud Monitoring can natively show cost metrics, but in reality, cost metrics require billing export to BigQuery and custom dashboard setup, whereas Cloud Billing reports provide this visibility immediately without additional configuration.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring dashboards with cost metrics require you to export billing data to BigQuery and then create custom dashboards, which is not a built-in, out-of-the-box solution for immediate cost visibility. Option C is wrong because Cloud Asset Inventory lists all resources and their metadata, but it does not provide cost data or spending trends; it is designed for asset discovery and governance, not cost analysis. Option D is wrong because the Google Cloud pricing calculator is a planning tool used to estimate costs before deployment, not a tool for viewing actual incurred spend or tracking trends.

453
MCQhard

A healthcare organization needs to store and analyze large volumes of patient diagnostic imaging data (e.g., DICOM files) in Google Cloud. The data must be stored in a cost-effective manner for long-term retention, with the ability to query metadata and run analytics using SQL-like queries. Which combination of Google Cloud services best meets these requirements?

A.Cloud Storage (Standard) for images, Datastore for metadata
B.Cloud Storage (Archive) for images, Cloud Spanner for metadata
C.Cloud Storage (Nearline) for images, BigQuery for metadata analytics
D.Cloud Filestore for images, Cloud SQL for metadata
AnswerC

Nearline is cost-effective for long-term retention with low access frequency; BigQuery provides SQL analytics on metadata.

Why this answer

Option C is correct because Cloud Storage Nearline provides cost-effective long-term storage for large imaging files with retrieval flexibility, while BigQuery enables SQL-based analytics on metadata extracted from DICOM headers, meeting both retention and query requirements without the cost of standard storage or the complexity of transactional databases.

Exam trap

Google Cloud often tests the misconception that 'cost-effective long-term storage' must use Archive storage, ignoring that Nearline is sufficient for data accessed occasionally (e.g., quarterly analytics) and that BigQuery is the only service listed that provides native SQL analytics on metadata at scale.

How to eliminate wrong answers

Option A is wrong because Cloud Storage Standard is not cost-effective for long-term retention (higher per-GB cost than Nearline/Archive) and Datastore is a NoSQL document database optimized for transactional workloads, not for SQL-like analytics on large metadata sets. Option B is wrong because Cloud Storage Archive has the lowest storage cost but imposes retrieval delays (minutes to hours) unsuitable for frequent analytics, and Cloud Spanner is a globally distributed relational database designed for high-availability transactions, overkill and expensive for metadata querying. Option D is wrong because Cloud Filestore is a network-attached file system for high-performance computing workloads (e.g., NFSv3), not designed for object storage of DICOM files, and Cloud SQL is a relational database for OLTP, not for scalable analytics on large metadata volumes.

454
MCQhard

A platform engineering team is designing a self-service cloud environment for development teams. They want developers to be able to provision approved cloud resources quickly without waiting for central IT approval for every request, while still ensuring compliance with security and cost policies. Which architectural approach best balances developer agility with governance?

A.Require all resource provisioning requests to be submitted as tickets to the central IT team for manual review and approval before any resources are created
B.Give all developers Owner access to all Google Cloud projects so they can provision any resources without delays
C.Provide a self-service catalog of pre-approved, policy-compliant infrastructure templates with automated provisioning, budget alerts, and org policy guardrails — enabling developer agility while enforcing compliance automatically
D.Allow developers to provision resources freely in a shared sandbox project only, keeping production entirely controlled by central IT
AnswerC

This is the platform engineering approach: build the rails, not the roads. Pre-approved templates (Terraform modules, Config Connector blueprints) let developers self-serve within defined boundaries. Org policies prevent non-compliant configurations. Budget alerts enforce cost controls. Developers move fast; governance is automated, not manual.

Why this answer

Option C is correct because it uses a self-service catalog with pre-approved, policy-compliant templates (e.g., Deployment Manager or Terraform configurations) combined with Organization Policy Service guardrails and automated budget alerts. This approach allows developers to provision resources on demand while enforcing security and cost policies automatically, balancing agility with governance without manual bottlenecks.

Exam trap

Google Cloud often tests the misconception that giving developers full access (Option B) or restricting them to a sandbox (Option D) are acceptable trade-offs, when in fact the correct answer requires a policy-as-code approach that enforces guardrails automatically without manual intervention.

How to eliminate wrong answers

Option A is wrong because requiring manual ticket-based approval for every request creates a central IT bottleneck that destroys developer agility, contradicting the goal of self-service provisioning. Option B is wrong because giving all developers Owner access to all projects violates the principle of least privilege, bypasses all governance controls, and creates severe security and compliance risks. Option D is wrong because restricting developers to a shared sandbox project only does not address their need to provision approved resources in production-like environments; it still forces central IT control for production, failing to balance agility with governance across the full lifecycle.

455
MCQeasy

A company wants to automatically scale their Compute Engine managed instance group based on the number of requests per second. Which metric should they use?

A.CPU utilization
B.HTTP load balancing serving capacity
C.Instance group size
D.custom metric from Cloud Monitoring
AnswerD

Custom metrics allow you to export application-level request rates.

Why this answer

Option D is correct because the company needs to scale based on requests per second, which is a custom application-level metric. Cloud Monitoring allows you to create custom metrics from your application, and managed instance groups can use these custom metrics for autoscaling, enabling precise scaling based on actual request throughput rather than proxy indicators.

Exam trap

The trap here is that candidates often confuse 'HTTP load balancing serving capacity' with request rate, but that metric measures the load balancer's backend capacity utilization (a ratio), not the raw number of requests per second, which requires a custom application metric.

How to eliminate wrong answers

Option A is wrong because CPU utilization is a system-level metric that does not directly correlate with requests per second; an instance could be CPU-bound for other reasons, leading to inaccurate scaling. Option B is wrong because HTTP load balancing serving capacity is a metric related to the load balancer's capacity, not the number of requests per second hitting the application; it measures backend capacity utilization, not request rate. Option C is wrong because instance group size is a static count of instances, not a metric that drives scaling decisions; using it as a scaling metric would create a circular dependency.

456
MCQmedium

A product manager asks a cloud engineer: 'What exactly is an API, and why is it important for our cloud-based application?' Which explanation is most accurate and useful for a non-technical product manager?

A.An API is a programming language used to write cloud applications, similar to Python or Java
B.An API is a defined contract that allows software components, services, and applications to communicate and exchange data with each other — enabling integration between cloud services and third-party systems without requiring knowledge of each other's internals
C.An API is a user interface that allows non-technical staff to access cloud resources through a web browser
D.An API is a security certificate that authenticates cloud services to prevent unauthorized access
AnswerB

This is accurate and useful for a product manager. APIs define how services talk to each other (what to send, what to expect back) without requiring implementation details. Cloud's power comes largely from APIs: your application can call a translation API, payment API, maps API, and ML API to compose sophisticated functionality from independent services.

Why this answer

Option B is correct because an API (Application Programming Interface) is a defined contract—typically using HTTP methods (GET, POST, PUT, DELETE) and data formats like JSON or XML—that enables software components to communicate and exchange data without exposing internal implementation details. For a cloud-based application, APIs are crucial because they allow seamless integration between cloud services (e.g., AWS Lambda, Azure Functions) and third-party systems, enabling modularity, scalability, and interoperability. This explanation is most accurate and useful for a non-technical product manager as it focuses on the functional role of APIs rather than misleading technical jargon.

Exam trap

Cisco often tests the misconception that an API is a programming language or a user interface, tempting candidates who confuse interface types (API vs. GUI) or overgeneralize from common cloud terms like 'API gateway' without understanding the core definition.

How to eliminate wrong answers

Option A is wrong because an API is not a programming language; it is an interface or protocol that allows different software components to interact, whereas Python and Java are general-purpose programming languages used to implement APIs. Option C is wrong because an API is not a user interface (UI) for non-technical staff; a web-based UI like a dashboard or console provides graphical access to cloud resources, while APIs are programmatic endpoints typically consumed by developers or automated systems. Option D is wrong because an API is not a security certificate; while APIs often use authentication mechanisms like OAuth 2.0 or API keys for secure access, the API itself is the communication contract, not a certificate.

457
MCQeasy

A company wants its internal applications to be accessible via a custom domain name (e.g., `app.company.com`) that routes to their Google Cloud load balancer. Which Google Cloud service manages DNS records for this?

A.Cloud CDN — it manages domain names for cached content.
B.Cloud DNS
C.Cloud Load Balancing — it automatically assigns domain names.
D.Cloud Armor — it routes traffic based on domain names.
AnswerB

Cloud DNS manages DNS zones and records. An A record pointing app.company.com to the load balancer's IP address routes users from the custom domain to the GCP load balancer.

Why this answer

Cloud DNS is the correct service because it is Google Cloud's managed DNS service that translates human-readable domain names (like app.company.com) into IP addresses. It allows you to create and manage DNS records (such as A, CNAME, or ALIAS records) that point your custom domain to the IP address or hostname of your Google Cloud load balancer, enabling traffic routing to your internal applications.

Exam trap

The trap here is confusing services that handle traffic (like Cloud Load Balancing or Cloud Armor) with the service that manages DNS records, leading candidates to pick a service that operates at a different layer of the network stack.

How to eliminate wrong answers

Option A is wrong because Cloud CDN is a content delivery network that caches content at edge locations to improve latency; it does not manage DNS records or domain name resolution. Option C is wrong because Cloud Load Balancing distributes traffic across backends but does not automatically assign or manage domain names; you must configure DNS separately to point a custom domain to the load balancer's IP or hostname. Option D is wrong because Cloud Armor is a web application firewall that provides security policies (e.g., IP allowlisting/denylisting, OWASP rules) and can filter traffic based on domain names, but it does not manage DNS records or domain name resolution.

458
MCQhard

A cloud operations engineer notices that the managed instance group 'my-mig' has been scaling up frequently, but the application performance is still degraded. The CPU utilization metric shows high values. What is most likely the issue?

A.The target size is set to 10, which is lower than the current needed capacity.
B.The instance group is using preemptible VMs which are being reclaimed frequently.
C.The autoscaler is using a cooldown period that is too long, preventing it from scaling down.
D.The scaling metric is not appropriate; consider using a custom metric that better reflects application load.
AnswerD

CPU utilization is not always the best indicator; a custom metric like request latency or queue depth might be better.

Why this answer

Option D is correct because the autoscaler is using CPU utilization as the scaling metric, but high CPU does not necessarily correlate with application performance degradation. If the application is bottlenecked on memory, I/O, or request queuing, CPU may remain high while throughput suffers. A custom metric (e.g., requests per second, latency, or queue depth) would better reflect actual application load and enable more accurate scaling decisions.

Exam trap

The trap here is that candidates assume high CPU utilization always means the application needs more compute capacity, but the question tests the understanding that the scaling metric must be aligned with the actual performance bottleneck, not just a generic system metric.

How to eliminate wrong answers

Option A is wrong because the target size being lower than needed capacity would prevent scaling up sufficiently, but the question states the instance group is scaling up frequently, so the autoscaler is actively adding instances; the issue is that scaling up is not fixing the performance problem. Option B is wrong because preemptible VMs being reclaimed would cause instance churn and potential performance degradation, but the question does not mention preemptible VMs, and the symptom of frequent scaling up with high CPU is not directly caused by preemption. Option C is wrong because a cooldown period that is too long would delay scaling down, not prevent scaling up; the issue here is that scaling up is happening but not resolving the degradation, so the cooldown period is not the root cause.

459
MCQhard

A company runs a mission-critical PostgreSQL database on Google Cloud that must support automatic failover to a standby instance within 60 seconds if the primary instance fails, with minimal data loss. Which Cloud SQL configuration satisfies this high availability requirement?

A.Cloud SQL with automated daily backups, restoring from backup if the primary fails
B.Cloud SQL High Availability configuration with a synchronously replicated standby instance that automatically promotes to primary within approximately 60 seconds of primary failure
C.Cloud SQL read replicas in another region, manually promoted if the primary fails
D.Running a self-managed PostgreSQL cluster on Compute Engine VMs with a custom pacemaker/corosync HA setup
AnswerB

Cloud SQL HA is precisely the right answer. It maintains a standby instance in the same region with synchronous replication, automatically detects primary failure, and promotes the standby without manual intervention. Failover typically completes within 60 seconds, meeting the stated RTO with minimal data loss (synchronous replication means near-zero RPO).

Why this answer

Option B is correct because Cloud SQL's High Availability (HA) configuration uses a synchronous replication mechanism between the primary and standby instances. This ensures that transactions are committed on both instances before being acknowledged, meeting the requirement for minimal data loss. In the event of a primary failure, the standby is automatically promoted to primary within approximately 60 seconds, satisfying the failover time requirement.

Exam trap

The trap here is that candidates may confuse read replicas (which are asynchronous and require manual promotion) with HA standby instances (which are synchronous and automatically promoted), or assume that automated backups can meet a strict 60-second RTO/RPO requirement.

How to eliminate wrong answers

Option A is wrong because restoring from automated daily backups cannot achieve a 60-second failover; recovery time would be much longer (minutes to hours) and data loss would include all changes since the last backup. Option C is wrong because Cloud SQL read replicas use asynchronous replication, which can result in significant data loss (seconds to minutes of transactions) and require manual promotion, failing both the automatic failover and minimal data loss requirements. Option D is wrong because while a self-managed Pacemaker/Corosync cluster could theoretically meet the requirements, it is not a Cloud SQL configuration and would require significant operational overhead, violating the premise of using a managed service; the question specifically asks for a Cloud SQL configuration.

460
MCQmedium

A company has employees who use personal (unmanaged) devices to access corporate applications. The security team wants to prevent sensitive Google Workspace documents from being downloaded to personal devices. Which Google control most directly addresses this data loss prevention requirement for device-based scenarios?

A.Cloud Armor, by blocking requests from IP addresses associated with personal devices
B.Google Workspace context-aware access and endpoint management controls that restrict actions (such as downloads) for users accessing from unmanaged personal devices
C.Enabling two-factor authentication for all users, which prevents unauthorized access
D.Encrypting all Google Drive files so they cannot be read on personal devices
AnswerB

Google Workspace provides device-level context-aware access. Organizations can define policies that restrict capabilities based on device enrollment status — allowing read-only web access on unmanaged devices while blocking downloads, or requiring device enrollment to access sensitive content.

Why this answer

Option B is correct because Google Workspace context-aware access combined with endpoint management allows administrators to create access level policies that restrict specific actions—such as downloading, printing, or copying—based on device trust signals. When a user accesses Google Workspace from an unmanaged personal device, the policy can block the download of sensitive documents directly, addressing the data loss prevention requirement at the action level rather than just the access level.

Exam trap

The trap here is that candidates often confuse network-level controls (like Cloud Armor) or authentication controls (like 2FA) with device-level data loss prevention, failing to recognize that only context-aware access with endpoint management can enforce granular action restrictions based on device trust status.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a network security service that filters traffic at the edge based on IP addresses or geographic regions, but it cannot distinguish between managed and unmanaged devices or control application-level actions like downloads within Google Workspace. Option C is wrong because two-factor authentication (2FA) only verifies user identity at login; it does not enforce device-based restrictions or prevent a legitimate authenticated user from downloading sensitive documents to a personal device. Option D is wrong because encrypting Google Drive files protects data at rest and in transit, but it does not prevent a user with valid decryption keys from downloading and saving those files to an unmanaged device; encryption alone does not enforce download policies.

461
MCQmedium

A regional grocery chain wants to compete with national chains that have larger marketing budgets. A consultant argues that cloud adoption can help level the playing field. Which cloud advantage most directly supports this argument?

A.The regional chain can use cloud object storage to store marketing images, matching the storage capacity of national chains
B.Cloud providers offer free unlimited compute to smaller businesses to help them compete
C.Pay-per-use cloud services give the regional chain access to the same advanced analytics, personalization, and demand forecasting capabilities as national chains without requiring equivalent capital investment
D.The regional chain can hire fewer IT staff because cloud providers manage all aspects of their business operations
AnswerC

This is the core democratizing effect of cloud. By paying only for what is used, smaller businesses can deploy capabilities (ML-driven demand forecasting, personalized promotions, real-time inventory analytics) that previously required the capital budgets only large enterprises could afford.

Why this answer

Option C is correct because pay-per-use cloud services enable the regional chain to leverage advanced analytics, personalization, and demand forecasting tools that are typically available only to large enterprises with significant capital budgets. This directly addresses the core challenge of competing with national chains by providing access to sophisticated data-driven marketing capabilities without the upfront investment in infrastructure and software licenses.

Exam trap

Google Cloud often tests the misconception that cloud adoption is primarily about cost savings or storage capacity, when the real transformative advantage for smaller businesses is the ability to access advanced, capital-intensive capabilities (like AI/ML analytics) on a pay-per-use basis, which directly supports competitive parity.

How to eliminate wrong answers

Option A is wrong because object storage for marketing images addresses only a basic storage need, not the advanced analytical and personalization capabilities required to level the playing field in marketing effectiveness. Option B is wrong because cloud providers do not offer free unlimited compute to smaller businesses; they offer pay-as-you-go models and limited free tiers, but unlimited free compute is not a real offering and would not be sustainable. Option D is wrong because cloud providers manage the underlying infrastructure, not all aspects of business operations such as store management, supply chain logistics, or customer service; this overstates the scope of cloud management and does not directly address marketing competition.

462
MCQeasy

What access does Alice have to the Cloud Storage bucket?

A.Write objects only
B.Full control
C.Read objects only
D.Read and write objects
AnswerC

objectViewer permission allows listing and reading objects.

Why this answer

Option C is correct because the scenario describes Alice having read-only access to the Cloud Storage bucket. This is typically granted via IAM roles like 'roles/storage.objectViewer' in Google Cloud, which allows listing and reading objects but not writing or deleting them. The question implies that Alice can only view or download objects, not modify or upload them.

Exam trap

Google Cloud often tests the misconception that 'read-only' access implies the ability to list bucket contents but not download objects, whereas in Cloud Storage, read access includes both listing and downloading objects via the storage.objects.get permission.

How to eliminate wrong answers

Option A is wrong because 'Write objects only' would allow Alice to upload or overwrite objects but not read them, which contradicts the scenario where she can view objects. Option B is wrong because 'Full control' would grant Alice all permissions including read, write, and delete, which is excessive and not implied. Option D is wrong because 'Read and write objects' would allow both reading and uploading, but the scenario only indicates read access, not write.

463
MCQmedium

A company migrating to the cloud wants to focus on building applications rather than managing servers. Which Google Cloud compute service provides a fully managed platform for web applications that automatically scales?

A.Cloud Functions
B.Google Kubernetes Engine
C.Compute Engine
D.App Engine
AnswerD

App Engine is a fully managed platform with automatic scaling for web apps.

Why this answer

App Engine is a fully managed, serverless platform that automatically scales web applications based on traffic. It abstracts away server management, allowing developers to focus solely on writing code, which aligns directly with the requirement to build applications without managing infrastructure.

Exam trap

The trap here is that candidates often confuse 'fully managed' with 'serverless' and incorrectly choose Cloud Functions (A) because it is serverless, but they overlook that Cloud Functions is not designed for hosting complete web applications with persistent HTTP routing and automatic scaling in the same way App Engine is.

How to eliminate wrong answers

Option A is wrong because Cloud Functions is a serverless compute service designed for event-driven, single-purpose functions, not for hosting full web applications with automatic scaling. Option B is wrong because Google Kubernetes Engine (GKE) is a managed Kubernetes cluster that still requires users to manage container orchestration, node pools, and scaling policies, not a fully managed platform that abstracts servers entirely. Option C is wrong because Compute Engine provides virtual machines (VMs) that require manual configuration, patching, and scaling, which contradicts the goal of not managing servers.

464
MCQhard

A retail chain with 500 stores wants to implement dynamic pricing — adjusting prices in real-time based on demand signals, competitor pricing, inventory levels, and weather forecasts. This requires processing millions of data points and updating prices across all stores within minutes. Which cloud capabilities make this possible?

A.A relational database that stores all prices with daily batch updates from a pricing spreadsheet.
B.Real-time stream processing (Pub/Sub + Dataflow) combined with ML model serving (Vertex AI) to ingest signals and compute optimized prices at scale.
C.A cloud-hosted ERP system that replaces the on-premises inventory management system.
D.A static website hosted on Cloud Storage that displays current prices.
AnswerB

Stream processing handles continuous price signals; ML models score optimal prices in real-time; elastic cloud compute handles demand spikes. This combination enables true dynamic pricing at retail scale.

Why this answer

Option B is correct because it combines real-time stream processing (Pub/Sub for ingesting millions of data points, Dataflow for processing them with low latency) with ML model serving (Vertex AI) to compute optimized prices on the fly. This architecture enables the sub-minute price updates required for dynamic pricing across 500 stores, leveraging Google Cloud's serverless, auto-scaling capabilities.

Exam trap

Google Cloud often tests the misconception that replacing an on-premises system with a cloud-hosted ERP (Option C) is sufficient for real-time processing, when in fact dynamic pricing requires dedicated stream processing and ML services, not just a migrated ERP.

How to eliminate wrong answers

Option A is wrong because a relational database with daily batch updates cannot process millions of real-time data points and update prices within minutes; batch updates introduce hours of latency, making dynamic pricing impossible. Option C is wrong because a cloud-hosted ERP system replaces on-premises inventory management but does not provide real-time stream processing or ML-based price optimization; it lacks the event-driven ingestion and model serving needed for dynamic pricing. Option D is wrong because a static website hosted on Cloud Storage merely displays current prices and has no mechanism to ingest signals, compute prices, or propagate updates across stores in real time.

465
MCQhard

A telecommunications company has completed a cloud migration but finds that its business agility — the speed at which it can launch new products — has not improved. An analysis reveals that while the infrastructure is now cloud-based, the software development and release processes remain unchanged: quarterly release cycles, lengthy change approval boards, and manual testing. What does this situation illustrate?

A.The company chose the wrong cloud provider; a different provider's infrastructure would enable faster releases
B.Cloud infrastructure adoption without modernizing software delivery practices (CI/CD, automated testing, continuous deployment) does not unlock agility; the delivery process is the bottleneck
C.Quarterly release cycles are appropriate for telecommunications products that require extensive regulatory testing, and the lack of agility is not a problem
D.The company must rebuild all applications as microservices before cloud can provide agility benefits
AnswerB

This is the core lesson. Cloud is an enabler of agility, not a guarantor. Without automated CI/CD pipelines, continuous testing, and frequent deployment cadences, quarterly releases persist regardless of whether code runs on cloud or on-premises VMs. DevOps practices and cloud infrastructure must be adopted together.

Why this answer

This illustrates that cloud infrastructure adoption without changing software delivery practices provides limited agility benefits. Cloud's agility potential is unlocked by complementary practices: CI/CD pipelines, automated testing, trunk-based development, and feature flags that enable continuous delivery. Quarterly release cycles with manual testing create the same bottleneck regardless of whether the infrastructure is on-premises or in the cloud.

466
MCQhard

A global e-commerce company serves customers from multiple continents. They want to guarantee fast page load times and minimize latency. Which Google Cloud service is most suitable for this transformation?

A.Cloud SQL for data caching
B.Cloud Storage multi-regional buckets
C.Cloud CDN with global external HTTP(S) load balancing
D.Compute Engine with large VMs
AnswerC

Cloud CDN caches content at edge locations, drastically reducing latency for global users.

Why this answer

Cloud CDN with global external HTTP(S) load balancing is the most suitable solution because it caches static and dynamic content at edge locations worldwide, reducing latency for users across multiple continents. The global load balancer provides anycast IP addresses that route traffic to the nearest healthy backend, while Cloud CDN serves cached content directly from the edge, minimizing round-trip time and improving page load times.

Exam trap

Google Cloud often tests the misconception that multi-regional storage alone (Option B) provides low latency, but candidates must understand that storage redundancy does not equal edge caching or request routing, which are essential for minimizing page load times across continents.

How to eliminate wrong answers

Option A is wrong because Cloud SQL is a managed relational database service, not a caching solution; it does not reduce latency for static content delivery and would introduce database overhead for page loads. Option B is wrong because Cloud Storage multi-regional buckets provide geo-redundant object storage but lack edge caching and request routing optimization; they require additional services like Cloud CDN to minimize latency. Option D is wrong because Compute Engine with large VMs addresses compute capacity, not latency; it does not distribute content geographically or cache responses, and users would still experience high latency from distant regions.

467
MCQeasy

An organization wants to use Google Cloud for processing healthcare data subject to HIPAA regulations in the United States. Which contractual document must the organization obtain from Google before storing Protected Health Information (PHI) in Google Cloud?

A.A Non-Disclosure Agreement (NDA) to prevent Google from disclosing the existence of the healthcare application
B.A Business Associate Agreement (BAA), which is legally required by HIPAA before any covered entity can process Protected Health Information with a cloud provider
C.A Data Processing Agreement (DPA) as required under GDPR for European data subjects
D.An ISO 27001 certificate issued by Google Cloud demonstrating information security compliance
AnswerB

The BAA is non-negotiable for HIPAA compliance. Google Cloud offers a BAA that covers specific services for HIPAA workloads. Without a BAA in place, any PHI stored in Google Cloud constitutes a HIPAA violation — technical security controls alone do not satisfy the legal requirement.

Why this answer

Under HIPAA, a covered entity or business associate must obtain a Business Associate Agreement (BAA) from any cloud service provider that will create, receive, maintain, or transmit Protected Health Information (PHI). Google Cloud offers a BAA that contractually binds Google to comply with HIPAA Security and Privacy Rules, including safeguarding PHI and reporting breaches. Without a signed BAA, storing PHI in Google Cloud would violate HIPAA regulations.

Exam trap

The trap here is that candidates confuse a generic data protection document (like a DPA or NDA) with the HIPAA-specific BAA, or mistakenly believe that a security certification alone satisfies the contractual requirement for handling PHI.

How to eliminate wrong answers

Option A is wrong because a Non-Disclosure Agreement (NDA) only prevents disclosure of confidential information, but it does not impose the specific HIPAA-required safeguards, breach notification obligations, or permitted use restrictions that a BAA provides. Option C is wrong because a Data Processing Agreement (DPA) is mandated under GDPR for processing personal data of European data subjects, not for HIPAA compliance in the United States; HIPAA requires a BAA, not a DPA. Option D is wrong because an ISO 27001 certificate demonstrates that Google Cloud has an information security management system, but it is a certification, not a contractual document, and does not fulfill the HIPAA requirement for a signed BAA that includes specific privacy and security provisions.

468
MCQeasy

A fashion retailer wants to use cloud to better understand customer preferences and launch trend-responsive product lines faster. Which capability most directly enables the retailer to sense market trends earlier and respond faster than competitors?

A.Real-time analytics on social media, search trends, and purchase signals to detect emerging preferences earlier, combined with cloud-integrated supply chain APIs for faster product launches
B.Moving the ERP system to a cloud-hosted VM to reduce infrastructure management overhead
C.Training the design team on cloud-based graphic design software for faster product visualization
D.Storing all historical sales data in cloud object storage for cheaper archival
AnswerA

This is the data-to-action pipeline that creates competitive advantage: real-time social/search data ingested at cloud scale reveals trends early; ML identifies patterns; supply chain APIs allow rapid response. The combination of early trend detection and fast execution creates a competitive moat.

Why this answer

Option A is correct because it directly addresses the retailer's goal of sensing market trends earlier and responding faster. Real-time analytics on social media, search trends, and purchase signals enable early detection of emerging preferences, while cloud-integrated supply chain APIs allow for rapid product launches by automating and accelerating the procurement and production processes. This combination of sensing and response capabilities is the most direct enabler of competitive advantage in trend-responsive retail.

Exam trap

Cisco often tests the distinction between operational improvements (like moving to a VM or using cloud storage) and strategic capabilities that directly enable competitive advantage through sensing and response; the trap here is that candidates may confuse general cloud benefits (cost savings, reduced overhead) with the specific capability needed for trend responsiveness.

How to eliminate wrong answers

Option B is wrong because moving an ERP system to a cloud-hosted VM primarily reduces infrastructure management overhead and may improve scalability, but it does not directly enable earlier sensing of market trends or faster product launches; it is an operational improvement, not a strategic sensing and response capability. Option C is wrong because training the design team on cloud-based graphic design software improves product visualization speed, but it does not provide real-time market trend sensing or supply chain integration; it addresses a downstream design step, not the upstream trend detection or rapid launch process. Option D is wrong because storing historical sales data in cloud object storage for cheaper archival provides cost savings and long-term data retention, but it does not enable real-time analytics or faster response to current trends; archival storage is passive and not designed for active trend sensing or agile supply chain integration.

469
MCQeasy

A business analyst needs to understand why cloud services bill differently for compute (VMs) versus object storage. Compute VMs are billed per second while they are running; Cloud Storage is billed per GB-month of data stored. Which cloud pricing principle explains why these billing units are different?

A.Cloud providers bill different resources differently to maximize revenue by charging the highest rates for the most-used services
B.Cloud resources are billed based on their natural unit of consumption: compute time for VMs (per second running) and data volume over time for storage (per GB-month) — matching billing to how each resource is actually consumed
C.Storage is charged per GB-month because cloud providers cannot measure storage usage per second accurately
D.The billing difference is a temporary situation; cloud providers are working toward a single universal billing unit for all services
AnswerB

This is the correct explanation. Billing models match consumption patterns: VMs consume CPU/memory as long as they run (time-based), while storage accumulates data that persists over time (data×time). This measured service model ensures billing is proportional to actual resource use.

Why this answer

Option B is correct because cloud providers align billing units with the natural consumption pattern of each resource. Compute VMs consume CPU and memory continuously while running, making per-second billing the most granular and fair measure of actual usage. Object storage, by contrast, incurs cost primarily from the capacity occupied over time, so billing per GB-month directly reflects the resource's persistent footprint.

This principle ensures customers pay only for what they use, in the unit that matches the resource's operational behavior.

Exam trap

The trap here is that candidates confuse pricing strategy with technical feasibility, assuming storage cannot be measured per second (Option C) or that providers are moving to a single unit (Option D), when the real principle is matching billing to the resource's natural consumption model.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes revenue maximization as the driving principle; in reality, cloud providers use cost-based pricing tied to resource consumption, not arbitrary rate-setting for popular services. Option C is wrong because cloud providers can and do measure storage usage per second (e.g., via continuous capacity monitoring), but billing per second would be impractical and not meaningful since storage cost is driven by sustained occupancy, not instantaneous access. Option D is wrong because there is no industry effort toward a single universal billing unit; different resources inherently have different consumption models (time-based vs. capacity-based), and this diversity is fundamental to cloud pricing.

470
MCQhard

A regulated financial services firm must ensure that its data never leaves a specific geographic region (EU) for compliance with GDPR data residency requirements. Which Google Cloud features help enforce this requirement?

A.Select EU regions for all resources and apply the `gcp.resourceLocations` org policy to restrict resource creation to EU regions only.
B.Enable Cloud Armor on all load balancers to block non-EU traffic.
C.Use HTTPS for all connections to ensure data is encrypted when it leaves the EU.
D.Enable Google Workspace's regional storage settings to restrict where emails are stored.
AnswerA

Selecting EU regions keeps data at rest in the EU. The gcp.resourceLocations org policy prevents accidental creation of resources in non-EU regions, enforcing data residency at the policy level.

Why this answer

Option A is correct because the `gcp.resourceLocations` organization policy constraint explicitly restricts the physical location where Google Cloud resources can be created. By setting this policy to allow only EU regions, the organization ensures that no compute, storage, or database resources can be provisioned outside the EU, directly enforcing GDPR data residency requirements. This policy is evaluated at resource creation time and applies to all projects under the organization, providing a hard enforcement boundary.

Exam trap

Cisco often tests the distinction between network-level controls (like Cloud Armor) and data residency controls (like org policies), leading candidates to mistakenly choose a security tool that blocks traffic rather than a policy that restricts resource location.

How to eliminate wrong answers

Option B is wrong because Cloud Armor is a web application firewall that filters HTTP/S traffic based on IP addresses or geo-location, but it does not prevent data from being stored or processed outside the EU; it only controls incoming network requests, not where data resides. Option C is wrong because HTTPS encrypts data in transit, but encryption does not control the geographic location of data at rest or processing; data can still leave the EU while encrypted, violating residency requirements. Option D is wrong because Google Workspace's regional storage settings apply only to Workspace data (e.g., Gmail, Drive), not to the customer's own applications or data stored in Google Cloud services like Compute Engine or Cloud Storage, and the question is about a regulated financial services firm using Google Cloud, not Workspace.

471
MCQmedium

A team needs to process and analyze streaming data in real-time as it arrives from IoT sensors. The pipeline must apply transformations, filter events, and write results to BigQuery. Which Google Cloud service is designed for this stream processing use case?

A.Cloud Dataproc
B.Cloud Dataflow
C.Cloud Composer
D.BigQuery Streaming Insert
AnswerB

Dataflow is Google's managed Apache Beam service for real-time stream (and batch) data processing. It ingests from Pub/Sub, transforms data on-the-fly, and writes to BigQuery — the standard GCP streaming pipeline pattern.

Why this answer

Cloud Dataflow is the correct choice because it is a fully managed, serverless service designed specifically for stream and batch data processing. It uses Apache Beam as its programming model, enabling you to apply transformations, filter events, and write results to BigQuery in real-time, exactly matching the described pipeline requirements.

Exam trap

Cisco often tests the distinction between data ingestion (BigQuery Streaming Insert) and data processing (Dataflow), leading candidates to mistakenly choose the streaming insert option because it contains the word 'streaming' and seems directly related to real-time data.

How to eliminate wrong answers

Option A is wrong because Cloud Dataproc is a managed Hadoop/Spark service optimized for batch processing and large-scale data analytics, not for real-time stream processing with built-in support for event-time windows and exactly-once semantics. Option C is wrong because Cloud Composer is a managed workflow orchestration service based on Apache Airflow, designed for scheduling and coordinating batch jobs, not for continuous stream processing. Option D is wrong because BigQuery Streaming Insert is a method for ingesting data into BigQuery in near real-time, but it does not provide the transformation, filtering, or pipeline processing capabilities required; it is a data ingestion endpoint, not a stream processing engine.

472
MCQhard

Refer to the exhibit. A data processing job must complete within 2 hours. The job can be interrupted but must resume from the last checkpoint. Which two instances should be used to minimize cost while meeting the requirement?

A.worker-2 and worker-4
B.worker-1 and worker-2
C.worker-2 and worker-3
D.worker-1 and worker-3
AnswerA

Both are preemptible, offering lowest cost for interruptible workloads.

Why this answer

Worker-2 and worker-4 are preemptible (spot) instances, which are significantly cheaper than standard instances. The job can be interrupted and resume from the last checkpoint, so preemptible instances are suitable. This combination minimizes cost while meeting the 2-hour completion requirement because preemptible instances have a maximum runtime of 24 hours and can be terminated earlier, but the checkpointing allows the job to complete within the 2-hour window even if interrupted.

Exam trap

Google Cloud often tests the misconception that preemptible instances are unreliable for any time-bound job, but the key is that checkpointing allows resumption, so they are cost-effective for jobs that can tolerate interruptions within the allowed window.

How to eliminate wrong answers

Option B is wrong because worker-1 is a standard (non-preemptible) instance, which costs more than preemptible instances; using it unnecessarily increases cost. Option C is wrong because worker-3 is a standard instance, and pairing it with worker-2 (preemptible) still incurs higher cost than using two preemptible instances. Option D is wrong because both worker-1 and worker-3 are standard instances, resulting in the highest cost without any benefit for a fault-tolerant, checkpointed job.

473
MCQmedium

According to the NIST definition of cloud computing, which characteristic allows users to unilaterally provision computing resources such as server time and network storage without requiring human interaction with the service provider?

A.Broad network access
B.On-demand self-service
C.Resource pooling
D.Measured service
AnswerB

On-demand self-service allows users to provision resources (compute, storage) automatically through a portal or API without human interaction with the provider — core to the cloud experience.

Why this answer

NIST's five essential characteristics of cloud computing are: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. 'On-demand self-service' specifically describes the ability for users to provision capabilities automatically without provider interaction — using a web console or API to spin up VMs, databases, or storage instantly, without calling a salesperson or waiting for manual provisioning.

474
Multi-Selecteasy

A company wants to implement a CI/CD pipeline for their Cloud Run services. Which THREE Google Cloud services should they use? (Choose 3)

Select 3 answers
A.Cloud Operations Suite
B.Cloud Build
C.Cloud Deploy
D.Cloud Deployment Manager
E.Container Registry (or Artifact Registry)
AnswersB, C, E

Builds container images and runs tests.

Why this answer

Cloud Build is the correct service because it is Google Cloud's fully managed CI/CD platform that can automatically build, test, and deploy code from a repository. For Cloud Run services, Cloud Build can trigger builds on code changes, run tests, and then deploy the container image directly to Cloud Run using a cloudbuild.yaml configuration file.

Exam trap

The trap here is that candidates confuse Cloud Deploy (a continuous delivery service for managing rollout strategies like canary or blue/green) with Cloud Build (the actual CI engine that builds and pushes images), or they mistakenly think Cloud Operations Suite is part of the pipeline because it monitors the deployed service.

475
MCQmedium

Refer to the exhibit. A DevOps engineer wants to create a chart showing the rate of items sold per second over time. What is a limitation of this metric for that purpose?

A.The metric kind is GAUGE, so it cannot be used to calculate rate
B.The interval should include a startTime
C.The metric has no labels to filter
D.The value should be DOUBLE instead of INT64
AnswerA

GAUGE metrics are snapshots; rate requires DELTA or CUMULATIVE.

Why this answer

Option A is correct because a GAUGE metric type represents a point-in-time value (e.g., current number of items), not a cumulative counter. To calculate a rate (items per second), you need a CUMULATIVE counter metric that monotonically increases, allowing Cloud Monitoring to compute the derivative over time. GAUGE metrics lack the necessary monotonicity and cumulative semantics, so they cannot be used to derive a meaningful rate of change.

Exam trap

Google Cloud often tests the misconception that any numeric metric can be used to compute a rate, when in fact only CUMULATIVE counters support rate-of-change calculations in Cloud Monitoring.

How to eliminate wrong answers

Option B is wrong because including a startTime in the interval is not a limitation of the metric itself; it is a standard parameter for time-series queries and does not prevent rate calculation. Option C is wrong because the absence of labels does not prevent rate calculation; labels are for filtering and aggregation, not for the fundamental ability to compute a rate. Option D is wrong because the data type (INT64 vs DOUBLE) does not affect the ability to calculate a rate; Cloud Monitoring can compute rates on integer values, and the limitation is the metric kind (GAUGE vs CUMULATIVE), not the value type.

476
MCQeasy

A company needs to store large volumes of unstructured data (images, videos, backups, documents) with high durability and global accessibility. Which Google Cloud service is designed for object storage at any scale?

A.Persistent Disk
B.Cloud Storage
C.Cloud Filestore
D.Cloud Spanner
AnswerB

Cloud Storage is Google's globally distributed object storage for unstructured data. It stores any type of file (images, videos, backups, datasets) at any scale with 11 nines durability.

Why this answer

Cloud Storage is Google Cloud's fully managed, scalable object storage service designed for unstructured data such as images, videos, backups, and documents. It offers high durability (99.999999999% annual durability) and global accessibility via a unified namespace, making it the correct choice for storing large volumes of unstructured data at any scale.

Exam trap

Cisco often tests the distinction between block, file, and object storage services, leading candidates to confuse Persistent Disk (block) or Cloud Filestore (file) with object storage for unstructured data.

How to eliminate wrong answers

Option A is wrong because Persistent Disk provides block storage for Compute Engine instances, not object storage, and is designed for low-latency access to structured data rather than unstructured data at global scale. Option C is wrong because Cloud Filestore is a managed file storage service (NFS) for shared file systems, optimized for structured workloads like high-performance computing, not for object storage of unstructured data. Option D is wrong because Cloud Spanner is a globally distributed relational database service for transactional and analytical workloads, not an object storage solution for unstructured data.

477
MCQmedium

A company's cloud operations team is implementing a tagging strategy for cost allocation. They want to ensure that the 'cost-center' label is present on every Compute Engine VM and Cloud Storage bucket created in their Google Cloud organization. Currently, some resources are created without this label. Which combination of controls best enforces and remediates this requirement?

A.Organization Policy custom constraint to prevent creation of resources without the 'cost-center' label (preventive), plus Cloud Asset Inventory to identify existing unlabeled resources for remediation (detective)
B.Only organization policy — once new resources are blocked, existing unlabeled resources don't matter
C.Only Cloud Asset Inventory monitoring — alerting on unlabeled resources is sufficient without preventing their creation
D.Grant all engineers the 'Labels Admin' role to encourage them to add labels voluntarily
AnswerA

This is the complete two-layer approach: prevention (org policy blocks future non-compliant resources at creation time) and detection/remediation (Cloud Asset Inventory finds existing unlabeled resources so they can be labeled retroactively). Together they address both the future and existing state.

Why this answer

A preventive control (org policy custom constraint requiring the label) stops future non-compliant resources. A detective/corrective control (Cloud Asset Inventory + Cloud Functions or Security Command Center) finds and remediates existing unlabeled resources. Both are needed for comprehensive enforcement.

478
MCQeasy

A company's DevOps team wants to orchestrate a complex workflow that involves calling multiple Google Cloud APIs in sequence — first running a Cloud Build job, then checking the results, then either deploying to Cloud Run or sending a notification. Which Google Cloud product is designed for orchestrating multi-step workflow logic?

A.Cloud Scheduler, which triggers a series of jobs at specified cron intervals
B.Google Cloud Workflows, which orchestrates multi-step processes by calling APIs in sequence with conditional logic, error handling, and state management
C.Cloud Pub/Sub, by publishing messages between pipeline stages to trigger each subsequent step
D.Cloud Run, by writing the orchestration logic as a container application that calls other services sequentially
AnswerB

Workflows is the purpose-built orchestration service. It defines steps that call Cloud Build API, evaluate results, and conditionally proceed to Cloud Run deployment or notification — exactly the described use case. It handles retries, parallelism, and state automatically.

Why this answer

Google Cloud Workflows is the correct choice because it is a fully managed orchestration platform specifically designed to define multi-step workflows that call Google Cloud APIs and external services in sequence. It supports conditional logic (e.g., if-then-else), error handling (e.g., retries with exponential backoff), and state management, making it ideal for the described scenario of running a Cloud Build job, checking results, and conditionally deploying to Cloud Run or sending a notification.

Exam trap

The trap here is that candidates confuse a simple trigger or messaging service (like Cloud Scheduler or Pub/Sub) with a full orchestration engine, overlooking the need for conditional logic and state management that only Google Cloud Workflows provides.

How to eliminate wrong answers

Option A is wrong because Cloud Scheduler is a cron-based job scheduler that triggers tasks at fixed intervals, not an orchestrator that can handle conditional branching, error handling, or stateful sequencing of API calls. Option C is wrong because Cloud Pub/Sub is a messaging service for asynchronous event-driven communication; while it can trigger subsequent steps, it lacks built-in orchestration features like conditional logic, error handling, and workflow state management, requiring custom code to implement the full workflow. Option D is wrong because Cloud Run is a serverless container runtime; writing orchestration logic as a container application would require manual implementation of sequencing, state management, and error handling, and it does not provide native workflow orchestration capabilities like Google Cloud Workflows does.

479
MCQhard

A financial services company is designing a multi-cloud architecture with Google Cloud and AWS. They need to encrypt data at rest in Google Cloud using a key stored in their on-premises Hardware Security Module (HSM). What is the best approach?

A.Use default encryption
B.Use Cloud External Key Manager (Cloud EKM)
C.Use Cloud HSM
D.Use Cloud Key Management Service (Cloud KMS) with CMEK
AnswerB

Cloud EKM integrates with external key management systems, including on-prem HSMs, to provide encryption at rest.

Why this answer

Cloud External Key Manager (Cloud EKM) is the correct approach because it allows you to manage encryption keys in an external key management system, such as an on-premises HSM, while using those keys to encrypt data at rest in Google Cloud. This meets the requirement of storing the key in the on-premises HSM, as Cloud EKM integrates with supported external key management partners or directly with your HSM via a key management proxy, ensuring that Google Cloud never has direct access to the raw key material.

Exam trap

The trap here is that candidates often confuse Cloud HSM (which provides hardware-backed keys but within Google's infrastructure) with the ability to use an external on-premises HSM, leading them to select Cloud HSM instead of Cloud EKM.

How to eliminate wrong answers

Option A is wrong because default encryption uses Google-managed keys, which do not allow you to control or store the key in your on-premises HSM. Option C is wrong because Cloud HSM is a Google Cloud service that provides hardware-backed key storage within Google's infrastructure, not in your on-premises HSM, so it does not satisfy the requirement of using a key stored on-premises. Option D is wrong because Cloud KMS with CMEK allows you to manage your own keys, but those keys are stored in Google Cloud (either in Cloud KMS software or Cloud HSM), not in an external on-premises HSM, and CMEK does not support direct integration with external key stores.

480
Drag & Dropmedium

Drag and drop the steps to configure a load balancer for an HTTP application on Compute Engine into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The correct order is: instance group, health check, backend service, URL map, then target proxy and forwarding rule.

481
MCQhard

A data analytics team needs to run a one-time transformation on 10 TB of data stored in Cloud Storage, then load the results into BigQuery. The transformation is a custom Java application that reads files, processes them, and writes to a new location. Which service should they use to minimize operational overhead?

A.Cloud Dataflow with Apache Beam Java SDK
B.Google Kubernetes Engine (GKE) with a custom container
C.Dataproc Serverless with Spark job
D.Cloud Functions triggered by Cloud Storage events
AnswerC

Dataproc Serverless runs Spark without cluster management, ideal for one-time jobs.

Why this answer

Option C (Dataproc Serverless with Spark job) is correct because it provides a fully managed, serverless execution environment for running custom Java transformations on large datasets (10 TB) without provisioning or managing clusters. Dataproc Serverless automatically scales resources based on the job's needs, minimizing operational overhead while supporting Spark jobs that can read from Cloud Storage and write results to BigQuery.

Exam trap

Google Cloud often tests the misconception that serverless options like Cloud Functions can handle large-scale batch processing, but the trap here is ignoring the execution time and memory limits of Cloud Functions, which cannot process 10 TB of data in a single invocation.

How to eliminate wrong answers

Option A is wrong because Cloud Dataflow with Apache Beam Java SDK is optimized for stream and batch processing with a unified programming model, but it introduces additional complexity in defining pipelines and managing state, which is unnecessary for a simple one-time transformation; Dataflow also requires more setup for custom Java code compared to Spark on Dataproc Serverless. Option B is wrong because Google Kubernetes Engine (GKE) with a custom container requires manual cluster management, scaling, and orchestration, which increases operational overhead for a one-time job; it is not serverless and demands ongoing maintenance of infrastructure. Option D is wrong because Cloud Functions triggered by Cloud Storage events are designed for lightweight, event-driven processing with limited execution time (9 minutes max) and memory (8 GB max), making them unsuitable for processing 10 TB of data in a single transformation.

482
MCQeasy

A company's security team wants to be alerted when someone with administrative permissions changes an IAM policy in their Google Cloud organization. Which Google Cloud capability enables this detection?

A.Data Access audit logs, which record when data is read from Cloud Storage buckets
B.Admin Activity audit logs combined with Cloud Monitoring log-based alerting, which records and alerts on IAM policy modifications by any principal
C.Cloud Armor, which blocks unauthorized IAM policy changes at the network layer
D.VPC flow logs, which capture all network traffic including IAM API calls
AnswerB

Admin Activity audit logs record all IAM policy changes (SetIamPolicy calls) automatically and cannot be disabled. A log-based metric in Cloud Monitoring can count these events, and an alerting policy triggers a notification whenever an IAM change is detected. This is the standard approach for IAM change monitoring.

Why this answer

Admin Activity audit logs record all changes to IAM policies and other configuration changes in Google Cloud. By combining these logs with Cloud Monitoring log-based alerting, the security team can create a specific alert that triggers whenever an IAM policy is modified by a principal with administrative permissions, enabling real-time detection of unauthorized changes.

Exam trap

Cisco often tests the distinction between audit log types (Admin Activity vs. Data Access) and the specific services that handle control-plane vs. data-plane operations, leading candidates to mistakenly choose Data Access logs or VPC flow logs for IAM policy changes.

How to eliminate wrong answers

Option A is wrong because Data Access audit logs record read/write operations on user-provided data (e.g., Cloud Storage objects), not IAM policy modifications, which are configuration changes. Option C is wrong because Cloud Armor is a web application firewall that protects against network-layer attacks like DDoS and SQL injection; it does not monitor or block IAM policy changes, which are control-plane operations. Option D is wrong because VPC flow logs capture metadata about network traffic (e.g., source/destination IP, ports, protocols) but do not log IAM API calls, which are control-plane operations logged separately in Admin Activity audit logs.

483
MCQmedium

After a major production outage, the engineering team conducts a review of what happened, why it happened, and how to prevent it in the future. This document is shared with all engineering teams. What is this practice called, and why does Google's SRE culture emphasize it?

A.Performance review — identifying which engineers caused the outage for disciplinary action.
B.Blameless postmortem — documenting the incident, root causes, and preventive actions to drive systemic learning without individual blame.
C.Capacity planning review — ensuring enough servers are provisioned to prevent future outages.
D.Change advisory board (CAB) review — approving that the outage fix is safe to deploy.
AnswerB

Blameless postmortems build organizational knowledge from failures. By avoiding blame, teams can honestly analyze contributing factors, including cultural and process issues, to make permanent improvements.

Why this answer

Option B is correct because a blameless postmortem is a core SRE practice that focuses on documenting incidents, root causes, and preventive actions without assigning individual blame. Google's SRE culture emphasizes this to foster psychological safety, enabling teams to openly share failures and drive systemic improvements, which is essential for maintaining high reliability in large-scale distributed systems.

Exam trap

The trap here is that candidates may confuse a blameless postmortem with a performance review or a change management process, failing to recognize that the key differentiator is the absence of blame and the focus on systemic learning rather than individual accountability.

How to eliminate wrong answers

Option A is wrong because a performance review is an HR process for evaluating employee contributions, not a post-incident analysis; blaming individuals contradicts the blameless culture that encourages honest incident reporting. Option C is wrong because capacity planning review is a proactive process to ensure sufficient resources (e.g., servers, network bandwidth) are provisioned to meet demand, not a reactive review of a specific outage's causes and fixes. Option D is wrong because a change advisory board (CAB) review is an ITIL process for approving changes before deployment, not a retrospective analysis of an incident that has already occurred.

484
Multi-Selectmedium

Which TWO of the following are key characteristics of cloud computing as defined by NIST? (Choose 2)

Select 2 answers
A.Virtualization
B.Multi-tenancy
C.Measured service
D.Serverless computing
E.Rapid elasticity
AnswersC, E

Cloud systems automatically control and optimize resource use by metering.

Why this answer

Measured service is a key characteristic of cloud computing as defined by NIST (SP 800-145). It means that cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). This allows both the provider and consumer to monitor, control, and report usage, providing transparency for billing and chargeback.

Exam trap

Google Cloud often tests the distinction between enabling technologies (like virtualization) and the official NIST essential characteristics, so candidates mistakenly select virtualization or multi-tenancy because they are commonly associated with cloud computing but are not explicitly listed in the NIST definition.

485
MCQhard

A retail company stores petabytes of customer transaction data for compliance reasons. They access data less than once a year but must retain it for 10 years. They want the lowest-cost storage. Which storage class should they choose?

A.Archive storage class
B.Coldline storage class
C.Standard storage class
D.Nearline storage class
AnswerA

Archive is the lowest-cost option for data accessed less than once a year.

Why this answer

Archive storage class is the correct choice because it is designed for data accessed less than once a year, with the lowest storage cost among Google Cloud storage classes. The customer's requirement of retaining data for 10 years with infrequent access aligns perfectly with Archive's 365-day minimum storage duration and retrieval costs that are higher but acceptable given the rare access pattern.

Exam trap

Google Cloud often tests the misconception that 'Coldline' is the lowest-cost option because of its name, but Archive is actually cheaper for data accessed less than once a year, and candidates overlook the access frequency and minimum storage duration requirements.

How to eliminate wrong answers

Option B (Coldline storage class) is wrong because it is optimized for data accessed less than once every 90 days, not less than once a year, and has higher storage costs than Archive. Option C (Standard storage class) is wrong because it is designed for frequently accessed data with no minimum storage duration and has the highest storage cost, making it unsuitable for long-term, rarely accessed compliance data. Option D (Nearline storage class) is wrong because it targets data accessed less than once every 30 days, with storage costs higher than Archive and a 30-day minimum storage duration, which does not match the yearly access pattern.

486
MCQmedium

A company is planning a cloud architecture and needs to decide between a monolithic application design and a microservices architecture. What is the most significant operational trade-off between these two approaches in a cloud environment?

A.Monoliths can only run on-premises, while microservices were designed specifically for cloud environments
B.Microservices enable independent deployment and scaling per component but introduce distributed systems complexity (network overhead, distributed tracing, service discovery, consistency challenges); monoliths are simpler to operate but scale and deploy as a unit
C.Microservices are always cheaper to operate in the cloud because each service uses fewer resources than a monolith
D.Monolithic applications cannot be scaled horizontally in cloud environments
AnswerB

This accurately captures the key trade-off. Microservices' benefits (independent scale, isolated failures, technology diversity) come with real operational costs: inter-service communication adds latency and failure modes, distributed tracing replaces simple stack traces, and data consistency across services requires careful design.

Why this answer

Monoliths are simpler to develop, test, and deploy initially but scale as a unit and create tight coupling — a change to one part requires deploying the whole application. Microservices enable independent deployment and scaling of components but introduce distributed systems complexity (network calls, service discovery, distributed tracing, eventual consistency). Neither is universally better — the trade-off depends on team size, domain complexity, and operational maturity.

487
MCQhard

A company wants to implement SLOs for their API service. They need to measure the proportion of successful requests over a 30-day window. Which metric should they use?

A.availability (uptime)
B.latency at 99th percentile
C.requests/success
D.SLI = good events / total events
AnswerD

SLI directly measures the proportion of successful requests.

Why this answer

Option D is correct because an SLI (Service Level Indicator) is defined as the ratio of good events to total events, which directly measures the proportion of successful requests over a 30-day window. This aligns with the requirement to track request success rate, not just system uptime. In Google Cloud operations, SLOs are built on SLIs that count discrete events like HTTP 200 responses versus all requests.

Exam trap

The trap here is that candidates confuse availability (uptime) with request success rate, not realizing that a service can be 'up' 100% of the time yet fail a large proportion of requests due to application errors.

How to eliminate wrong answers

Option A is wrong because availability (uptime) measures the percentage of time the service is reachable, not the proportion of individual request successes; a service can be up but still return errors for many requests. Option B is wrong because latency at the 99th percentile measures response time distribution, not success rate; it addresses performance, not correctness or error rate. Option C is wrong because requests/success is an inverted ratio that would decrease as success increases, and it is not a standard SLI formula; the correct SLI is good events divided by total events.

488
MCQeasy

A traditional retailer currently maintains its own data centers, purchasing servers every 3–5 years and paying for facilities, power, and staff regardless of demand. When it migrates its workloads to the public cloud, which change in cost model does it experience?

A.From operational expenditure (OpEx) to capital expenditure (CapEx)
B.From capital expenditure (CapEx) to operational expenditure (OpEx)
C.From variable costs to fixed monthly costs
D.From consumption-based billing to annual depreciation cycles
AnswerB

Cloud eliminates large upfront hardware purchases (CapEx) and replaces them with pay-as-you-go usage fees (OpEx), aligning costs directly with actual business consumption.

Why this answer

When a retailer migrates from owning and maintaining its own data centers to using a public cloud, it shifts from a capital expenditure (CapEx) model—where it buys servers and pays for facilities upfront—to an operational expenditure (OpEx) model, where it pays for cloud services as a recurring, usage-based cost. This change eliminates large upfront hardware investments and replaces them with predictable monthly or consumption-based billing, aligning costs directly with actual demand.

Exam trap

Cisco often tests the misconception that moving to the cloud simply changes cost from variable to fixed, when in fact the fundamental shift is from CapEx (capital expenditure) to OpEx (operational expenditure), with variable costs replacing fixed, upfront investments.

How to eliminate wrong answers

Option A is wrong because it reverses the actual shift: moving from on-premises data centers to the public cloud changes spending from CapEx (buying servers, facilities) to OpEx (pay-as-you-go), not the other way around. Option C is wrong because the cloud model typically converts fixed, upfront costs into variable, consumption-based costs, not from variable to fixed monthly costs; fixed monthly costs are more characteristic of reserved instances or committed use contracts, but the core shift is from CapEx to OpEx. Option D is wrong because consumption-based billing is the new model in the cloud, not the old one; annual depreciation cycles are associated with CapEx for owned hardware, not with cloud billing.

489
Multi-Selecthard

Which THREE practices are recommended for securing a Kubernetes cluster in Google Kubernetes Engine (GKE)?

Select 3 answers
A.Use Binary Authorization to ensure only trusted container images are deployed
B.Enable node auto-repair to automatically fix security vulnerabilities in nodes
C.Enable GKE Sandbox for untrusted workloads to provide an additional layer of isolation
D.Expose the cluster control plane via a public endpoint to allow monitoring
E.Enable Workload Identity to manage access to Google Cloud APIs
AnswersA, C, E

Binary Authorization enforces deployment signing.

Why this answer

Binary Authorization is correct because it enforces deployment-time policy validation, ensuring that only container images signed by trusted authorities (e.g., via KMS) are allowed to run in GKE. This prevents the deployment of untrusted or tampered images, directly addressing supply chain security.

Exam trap

Google Cloud often tests the distinction between operational features (like node auto-repair) and security features, so candidates mistakenly assume auto-repair patches vulnerabilities when it only restores node health, not applies security updates.

490
Multi-Selecteasy

A company wants to monitor its Google Cloud spending and receive alerts when costs exceed a threshold. Which two services should they use together?

Select 2 answers
A.Cloud Scheduler
B.Cloud Asset Inventory
C.Cloud Logging
D.Cloud Billing Budgets and Alerts
E.Cloud Monitoring
AnswersD, E

This service allows setting budget thresholds and sending alerts via email or Pub/Sub.

Why this answer

Cloud Billing Budgets and Alerts (D) allows you to define a spending threshold and receive notifications when costs approach or exceed that limit. Cloud Monitoring (E) can ingest those budget alert events and trigger additional actions, such as sending notifications via email, SMS, or Pub/Sub, or integrating with incident management tools. Together, they provide a complete cost monitoring and alerting solution.

Exam trap

The trap here is that candidates often confuse Cloud Logging (which stores logs) or Cloud Scheduler (which runs jobs) with the actual billing alerting service, not realizing that Cloud Billing Budgets and Alerts is the dedicated service for cost thresholds and Cloud Monitoring is needed for centralized alert management.

491
MCQmedium

A cloud team wants to automatically enforce that all new Compute Engine VMs are created with a specific label (environment: production) and that no VMs are created with external IP addresses in the production project. Which Google Cloud capability enforces these organizational policies at resource creation time?

A.Cloud Monitoring alerting policies that detect and notify when non-compliant VMs are created
B.Organization Policy Service constraints that enforce no external IPs and required labels at resource creation time, blocking non-compliant VMs before they are created
C.Cloud IAM roles that prevent developers from creating VMs without the proper labels
D.Cloud Billing budget alerts that detect when VM spending exceeds expected amounts for labeled resources
AnswerB

Organization Policy Service is the correct answer. The 'compute.vmExternalIpAccess' constraint prevents external IP assignment at creation. Custom org policy constraints can enforce required labels. Both are evaluated before resource creation — if the policy would be violated, the API call is rejected.

Why this answer

Organization Policy Service constraints, specifically `compute.vmExternalIpAccess` and `compute.requireOsLogin` or custom constraints for labels, are evaluated at resource creation time. They block non-compliant VM creation before the API call succeeds, enforcing policies like 'no external IPs' and 'required labels' without relying on post-creation detection or IAM permissions.

Exam trap

Cisco often tests the distinction between reactive monitoring (Cloud Monitoring alerts) and proactive enforcement (Organization Policy Service), leading candidates to pick the monitoring option because they confuse detection with prevention.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring alerting policies are reactive, not preventive; they detect non-compliant VMs after creation but do not block them. Option C is wrong because Cloud IAM roles control who can create VMs but cannot enforce specific label values or external IP restrictions at resource creation time; IAM lacks the granularity to validate resource configuration. Option D is wrong because Cloud Billing budget alerts monitor spending, not resource compliance; they cannot prevent VM creation or enforce labels or external IP policies.

492
MCQmedium

A mid-size company runs a batch processing application on a single on-premises server. The processing time varies; during month-end, the workload spikes and the server becomes overloaded, causing delays. The company wants a solution that automatically scales resources for peak times and only pays for extra capacity when used. They are considering migrating to Google Cloud. Which approach meets their needs?

A.Migrate the server to a single, larger Compute Engine instance with a static IP
B.Deploy the application on a managed instance group in Compute Engine with autoscaling
C.Rewrite the batch processing application as a Cloud Function
D.Use Cloud SQL for the database and a single Compute Engine instance for processing
AnswerB

Managed instance group with autoscaling automatically adds/removes instances based on load, and you pay only for the resources used.

Why this answer

Option C is correct because Google Cloud offers autoscaling groups in Compute Engine that can add instances during peak load and remove them when demand drops, with pay-per-second billing. Option A lacks automatic scaling. Option B provides managed services but may not directly solve scaling of their specific application.

Option D is for serverless functions, not ideal for a batch processing app that may run for hours.

493
MCQhard

A multinational corporation operates a hybrid cloud environment with on-premises data centers connected to Google Cloud via Dedicated Interconnect. The company uses Cloud Storage to store sensitive financial data and has enabled Cloud Audit Logs for admin activities. Recently, the security team noticed that an unknown actor accessed a bucket containing customer personally identifiable information (PII). The access occurred from an IP address outside the corporate network. The security team suspects that an employee's Google Cloud credentials were compromised. They need to investigate the incident thoroughly and determine the extent of the breach. The company has enabled VPC Flow Logs, but they are not sure how to correlate the audit logs with network flows. They also want to ensure that similar incidents are prevented in the future. What should the security team do first to investigate the incident?

A.Immediately revoke all service account keys and reissue them, then reset all user passwords.
B.Enable Cloud IDS to detect similar attacks and block the malicious IP address.
C.Use Cloud Logging to analyze Cloud Audit Logs and identify the user who accessed the bucket and the associated context.
D.Export VPC Flow Logs to BigQuery and analyze for the attacker's IP address.
AnswerC

Cloud Audit Logs record all resource access and are the primary source for investigating unauthorized access.

Why this answer

Option A is correct because the first step is to analyze Cloud Audit Logs to identify which identities accessed the bucket and from where. This provides the primary leads for the investigation. Option B is wrong because Cloud IDS detects network threats but does not provide historical logs of who accessed a bucket.

Option C is wrong because revoking keys assumes the compromise was via keys, but the incident involves user credentials, not service account keys. Option D is wrong because VPC Flow Logs show network traffic but do not identify the user or API calls.

494
MCQhard

An operations team tracks the following metrics for their customer portal: request latency p99, error rate, and requests per second. In Site Reliability Engineering terminology, what are these metrics called, and what do they collectively define?

A.Key Performance Indicators (KPIs) that define the overall health of the business
B.Service Level Agreements (SLAs), defining the contractual commitments made to customers
C.Service Level Indicators (SLIs), which measure specific dimensions of service behavior from the user's perspective and collectively define how reliability is quantified
D.Operational metrics that are only relevant to the infrastructure team and not to business stakeholders
AnswerC

SLIs are the specific measurable quantities that capture how users experience the service. Latency (is it fast enough?), error rate (is it working?), and throughput (is it keeping up?) are the canonical SLI types. Together they provide a quantitative picture of reliability that can be used to set SLO targets.

Why this answer

In Site Reliability Engineering (SRE), the metrics p99 latency, error rate, and requests per second are classified as Service Level Indicators (SLIs). SLIs are carefully chosen quantitative measures of specific aspects of the service's behavior, such as availability, latency, or throughput, as experienced by the end user. Collectively, these SLIs define how reliability is quantified and are used to set and monitor Service Level Objectives (SLOs).

Exam trap

The trap here is that candidates confuse SLIs with SLAs or KPIs, not realizing that SLIs are the raw measurements that feed into SLOs, which then underpin SLAs, and that they are specifically defined from the user's perspective to quantify reliability.

How to eliminate wrong answers

Option A is wrong because while these metrics can be part of business KPIs, the SRE terminology specifically calls them Service Level Indicators (SLIs), not generic KPIs, and they define reliability quantification, not overall business health. Option B is wrong because SLAs are contractual commitments based on SLOs, which are in turn derived from SLIs; the metrics themselves are not the agreements. Option D is wrong because SLIs are explicitly defined from the user's perspective and are critical for business stakeholders to understand service reliability, not just for the infrastructure team.

495
MCQeasy

A company's production database is running on a Compute Engine VM with a 500 GB Persistent Disk. The operations team wants to create a backup they can restore from in case of data corruption or accidental deletion. Which Google Cloud capability provides point-in-time backup for Persistent Disks?

A.Cloud Storage bucket replication, by continuously copying the database files to a storage bucket
B.Persistent Disk Snapshots, which capture the disk state at a point in time and enable restoration or creation of new disks from that snapshot
C.Cloud SQL automated backups, which protect databases running on Compute Engine VMs
D.VM live migration, which moves the running VM between physical hosts, automatically creating a backup in the process
AnswerB

Persistent Disk Snapshots are the correct mechanism. They capture a consistent point-in-time image of the disk (application-consistent when used with snapshot agent or after flushing I/O). Snapshots are stored in Cloud Storage, incremental after the first snapshot, and can be used to create a new disk or restore data.

Why this answer

Persistent Disk Snapshots are the correct Google Cloud feature for creating point-in-time backups of Persistent Disks. They capture the disk's data and configuration at a specific moment, allowing you to restore the disk or create new disks from that snapshot. This is the native, recommended method for backup and disaster recovery of Compute Engine VM disks.

Exam trap

The trap here is that candidates confuse Cloud SQL backups (which are for managed databases) with the need to back up a database running on a Compute Engine VM, leading them to select option C instead of the correct Persistent Disk Snapshots.

How to eliminate wrong answers

Option A is wrong because Cloud Storage bucket replication is a feature for objects in buckets, not for Persistent Disks; continuously copying database files to a bucket would require custom scripting and does not provide crash-consistent point-in-time backups of the entire disk. Option C is wrong because Cloud SQL automated backups protect Cloud SQL managed databases, not databases running on Compute Engine VMs; Cloud SQL is a separate managed service, not a feature for Compute Engine disks. Option D is wrong because VM live migration moves a running VM between physical hosts for maintenance without downtime, but it does not create a backup or capture a point-in-time state of the disk.

496
Drag & Dropmedium

Drag and drop the steps to set up a Cloud CDN for a backend bucket in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create and prepare the bucket, then set up a load balancer, enable CDN, and test.

497
MCQeasy

A regional hospital chain wants to improve patient outcomes by analyzing electronic health records (EHRs) from multiple departments, including radiology, pathology, and pharmacy. Currently, each department stores data in separate on-premises databases, making it difficult to correlate information. The hospital must comply with HIPAA and other data privacy regulations. They have a small IT team and limited budget for new hardware. They want to enable clinicians to run ad-hoc queries across all data and generate insights using machine learning, without managing infrastructure. Which solution best achieves these goals?

A.Purchase additional on-premises servers and implement a data warehouse with ETL processes.
B.Deploy a third-party analytics SaaS tool and export data from each department manually.
C.Migrate all data to Cloud Storage and grant clinicians access to files for manual analysis.
D.Use Cloud Healthcare API to ingest and standardize data from each department, store in BigQuery, and use BigQuery ML to build predictive models.
AnswerD

This fully managed, HIPAA-eligible solution integrates silos and enables advanced analytics without infrastructure overhead.

Why this answer

Option D is correct because it leverages the Cloud Healthcare API to ingest and standardize data from disparate on-premises databases into a unified format, stores it in BigQuery for serverless ad-hoc querying, and uses BigQuery ML to build predictive models without managing infrastructure. This fully meets HIPAA compliance through built-in data residency and access controls, while the small IT team avoids hardware procurement and maintenance overhead.

Exam trap

Google Cloud often tests the misconception that on-premises data warehouses (Option A) are the only HIPAA-compliant option, but the trap here is that cloud-native services like Cloud Healthcare API and BigQuery are fully HIPAA-eligible and actually reduce compliance burden through automated controls and managed infrastructure.

How to eliminate wrong answers

Option A is wrong because purchasing additional on-premises servers and implementing a data warehouse with ETL processes requires significant upfront hardware investment and ongoing IT management, contradicting the limited budget and small IT team constraints. Option B is wrong because manually exporting data from each department to a third-party analytics SaaS tool is error-prone, non-scalable, and introduces security risks for PHI under HIPAA, as manual processes lack automated auditing and encryption controls. Option C is wrong because migrating all data to Cloud Storage and granting clinicians access to files for manual analysis does not enable ad-hoc querying or machine learning, and raw file access violates HIPAA's minimum necessary and access control requirements.

498
MCQeasy

A data analyst at a media company needs to run complex SQL queries on petabytes of user engagement data to produce weekly reports. The dataset is stored in Google Cloud. Which Google Cloud product is purpose-built for this type of large-scale analytical SQL workload?

A.Cloud SQL, Google Cloud's managed relational database service
B.BigQuery, Google Cloud's serverless data warehouse for petabyte-scale analytical SQL
C.Cloud Bigtable, Google's NoSQL wide-column database
D.Firestore, Google Cloud's serverless NoSQL document database
AnswerB

BigQuery is precisely designed for this use case. Its serverless architecture, columnar storage format, and distributed query engine make it ideal for analysts running complex SQL against massive datasets. The weekly report workload is a canonical BigQuery use case.

Why this answer

BigQuery is Google Cloud's serverless, highly scalable data warehouse specifically designed for petabyte-scale analytical SQL queries. It separates compute from storage and uses a columnar storage format and a distributed query engine to execute complex SQL on massive datasets without provisioning infrastructure, making it the ideal choice for the described workload.

Exam trap

Cisco often tests the distinction between OLTP databases (Cloud SQL) and OLAP data warehouses (BigQuery), trapping candidates who see 'SQL' and assume any SQL-supporting service works for petabyte-scale analytics, ignoring the fundamental architectural differences in storage, scaling, and query execution.

How to eliminate wrong answers

Option A is wrong because Cloud SQL is a managed relational database service for OLTP workloads (e.g., MySQL, PostgreSQL, SQL Server) and is not designed for petabyte-scale analytical SQL; it has storage and concurrency limits that make it unsuitable for large-scale data warehousing. Option C is wrong because Cloud Bigtable is a NoSQL wide-column database optimized for high-throughput, low-latency read/write operations (e.g., time-series, IoT) and does not support SQL queries or complex analytical joins. Option D is wrong because Firestore is a serverless NoSQL document database for real-time mobile/web applications, not for analytical SQL workloads; it lacks SQL support and is not built for petabyte-scale aggregation or reporting.

499
Multi-Selecthard

Which TWO of the following are important considerations when designing a cloud solution for data residency compliance? (Choose exactly 2.)

Select 2 answers
A.Enabling Cloud Data Residency policies
B.Selecting a Cloud Storage region to store data within required jurisdiction
C.Choosing the lowest-cost storage class
D.Using a single availability zone for all data
E.Encrypting all data at rest
AnswersA, B

Policies prevent data from moving outside allowed regions.

Why this answer

Options A and D are correct. A is correct because data must stay in specific geographic boundaries. D is correct because Cloud Data Residency policies enforce location constraints.

B is incorrect because storing data in a single zone does not guarantee residency; zones are within a region. C is incorrect because encryption does not change data location. E is incorrect because storage class affects availability, not residency.

500
MCQhard

A solutions architect is designing a system that must remain available even if an entire Google Cloud region becomes unavailable due to a major disaster. Which deployment approach achieves this goal?

A.Deploying the application across multiple zones within the same Google Cloud region
B.Using a single zone but enabling automatic VM restart policies
C.Deploying the application across multiple Google Cloud regions so that if one region fails, other regions continue serving traffic
D.Enabling Cloud Backup for all VMs in the deployment to allow rapid restoration after a regional failure
AnswerC

Multi-region deployment is required to survive a full regional outage. By running active or active-passive instances in multiple distinct geographic regions, the system continues operating when any single region fails. Each region is geographically and infrastructure-independently isolated.

Why this answer

Option C is correct because deploying across multiple Google Cloud regions ensures that if an entire region becomes unavailable, traffic can be rerouted to healthy regions, achieving disaster recovery across regional failures. This approach leverages Google Cloud's global load balancing (e.g., External HTTPS Load Balancer with backend services in multiple regions) and regional managed instance groups to maintain availability even when a complete region is lost.

Exam trap

Google Cloud often tests the distinction between zonal and regional fault tolerance, and the trap here is that candidates confuse multi-zone deployment (which handles zonal failures) with multi-region deployment (which is required for regional disaster recovery).

How to eliminate wrong answers

Option A is wrong because deploying across multiple zones within the same region protects against zonal failures but does not protect against a regional disaster, as all zones in a region share the same regional control plane and can fail together. Option B is wrong because using a single zone with automatic VM restart policies only recovers from transient failures within that zone, not from a complete regional outage where the zone itself is unavailable. Option D is wrong because enabling Cloud Backup for all VMs allows data restoration after a failure but does not provide automatic failover or continuous availability; the system would still experience downtime while backups are restored, and it does not address the need for immediate traffic redirection during a regional disaster.

501
MCQmedium

A company is running a latency-sensitive application on Compute Engine instances in a single zone. They want to improve availability without sacrificing low latency. Which strategy should they use?

A.Deploy instances in multiple zones within the same region
B.Use Cloud CDN to cache content
C.Use larger machine types with more vCPUs
D.Deploy instances in multiple regions
AnswerA

Multiple zones in the same region provide redundancy with low latency.

Why this answer

Deploying instances in multiple zones within the same region provides high availability by distributing workloads across physically separate data centers (zones) while keeping network latency low, as intra-region latency is typically under 1-2 ms. This approach protects against zonal failures without the added latency of cross-region communication, which can be 10-100 ms or more.

Exam trap

The trap here is that candidates confuse high availability with geographic distribution, assuming multiple regions are always better, but the question explicitly requires low latency, which multi-region deployments cannot guarantee due to increased network distance.

How to eliminate wrong answers

Option B is wrong because Cloud CDN caches static content at edge locations to reduce latency for content delivery, but it does not improve the availability of a latency-sensitive application's compute instances or handle dynamic request processing. Option C is wrong because using larger machine types with more vCPUs improves performance for compute-bound tasks but does not provide redundancy or fault tolerance; a single zone failure would still take down all instances. Option D is wrong because deploying instances in multiple regions introduces significant cross-region network latency (often 10-100+ ms), which violates the requirement to maintain low latency for the application.

502
MCQmedium

An organization's leadership sets a goal to make all future business decisions based on data rather than intuition. They migrate from siloed departmental spreadsheets to a centralized cloud data platform where all teams access the same real-time data. What organizational concept does this represent?

A.Data warehousing — storing historical data for reporting purposes.
B.Data-driven decision making — using objective data analysis rather than intuition to guide business decisions.
C.Business intelligence — creating reports and dashboards.
D.Data governance — policies for who owns and manages data.
AnswerB

Data-driven culture requires both technology (unified data platform) and organizational change (trusting data over hierarchy or intuition). Cloud platforms enable the technology layer; leadership commitment drives the cultural change.

Why this answer

Option B is correct because the scenario describes a shift from intuition-based decisions to decisions grounded in objective data analysis, which is the essence of data-driven decision making. The migration to a centralized cloud data platform ensures all teams access the same real-time data, eliminating silos and enabling consistent, evidence-based choices across the organization.

Exam trap

Google Cloud often tests the distinction between the technology (e.g., data warehousing, BI tools) and the organizational philosophy (data-driven decision making), trapping candidates who focus on the platform migration rather than the behavioral shift it enables.

How to eliminate wrong answers

Option A is wrong because data warehousing focuses on storing historical data for reporting, not on the real-time, decision-making transformation described. Option C is wrong because business intelligence involves creating reports and dashboards from data, but the core concept here is the cultural and operational shift to using data for decisions, not just visualization. Option D is wrong because data governance deals with policies for data ownership and management, which is a supporting framework, not the primary organizational concept of using data to guide decisions.

503
MCQmedium

A company wants to set up automated checks that continuously verify their website's homepage, login page, and API endpoints are accessible from multiple global locations. If any endpoint becomes unreachable for more than 2 minutes, the on-call engineer should be alerted. Which Cloud Monitoring feature provides this?

A.Cloud Logging log-based alerts that detect 5xx errors in application logs.
B.Cloud Monitoring uptime checks that probe endpoints from global locations with alerting on failure.
C.Cloud Trace that records response times for each user request.
D.Custom scripts on Compute Engine VMs that ping endpoints every minute.
AnswerB

Uptime checks send probe requests from multiple global PoPs at configurable intervals. Failures across multiple locations trigger alerting policies — the managed solution for external availability monitoring.

Why this answer

Cloud Monitoring uptime checks are specifically designed to probe HTTP, HTTPS, or TCP endpoints from multiple global locations at configurable intervals (e.g., every 1 minute). They can trigger alerting policies when a check fails for a specified duration (e.g., 2 minutes), directly matching the requirement for continuous, multi-location endpoint accessibility verification with alerting on sustained failure.

Exam trap

The trap here is that candidates confuse log-based alerts (which detect errors in logs) with proactive uptime checks (which test connectivity), leading them to choose Option A because they think 5xx errors are the only way to detect unreachability, ignoring that a completely down endpoint may not generate logs at all.

How to eliminate wrong answers

Option A is wrong because Cloud Logging log-based alerts analyze log entries (e.g., 5xx errors) but do not actively probe endpoints from global locations; they react to logs already generated, not to connectivity failures that may not produce logs. Option C is wrong because Cloud Trace is a distributed tracing tool that captures latency and request paths for individual user requests, not a monitoring feature for endpoint availability from multiple locations. Option D is wrong because custom scripts on Compute Engine VMs would require manual setup, lack native multi-location probing, and do not integrate with Cloud Monitoring's alerting policies; they are an ad-hoc solution, not a managed service.

504
MCQeasy

A small IT team needs to grant developers the ability to deploy instances in a project but not delete them. Which IAM best practice should they use?

A.Create a custom role with compute.instances.insert and compute.instances.delete permissions.
B.Assign all developers the primitive role of Editor.
C.Use organization policy to restrict deletion of compute instances.
D.Create a service account for each developer and grant it the compute.instanceAdmin role.
AnswerD

Service accounts are not intended for human users; key management is burdensome.

Why this answer

Option D is correct because creating a service account for each developer and granting the `compute.instanceAdmin` role provides the precise permissions needed to deploy instances (via `compute.instances.insert`) without granting the ability to delete them (the `compute.instanceAdmin` role does not include `compute.instances.delete`). This follows the IAM best practice of least privilege, ensuring developers can perform only the required actions.

Exam trap

Google Cloud often tests the misconception that organization policies can replace IAM roles for user-level permission control, but organization policies are for resource constraints, not identity-based access control.

How to eliminate wrong answers

Option A is wrong because creating a custom role with both `compute.instances.insert` and `compute.instances.delete` permissions explicitly grants the delete capability, which violates the requirement to prevent deletion. Option B is wrong because the primitive role of Editor includes broad permissions that allow deleting compute instances, as well as many other resources, which is excessive and insecure. Option C is wrong because organization policies (e.g., constraints/compute.restrictDelete) can restrict deletion at the organization or folder level, but they apply to all users and cannot selectively allow deletion for some developers while blocking it for others; they are not a substitute for IAM roles.

505
MCQmedium

An e-commerce company plans its infrastructure for peak shopping events (e.g., Black Friday) which drive 50× normal traffic. On-premises, they must maintain 50× capacity year-round. In the cloud, they provision 50× capacity only during peak periods. Which cloud characteristic enables this cost optimization?

A.Measured service — metering and reporting resource consumption.
B.Elasticity — the ability to rapidly scale resources up during peak demand and release them when no longer needed.
C.Broad network access — accessing resources from any internet-connected device.
D.Resource pooling — the provider's resources are shared among many customers.
AnswerB

Cloud elasticity lets the company provision 50× capacity for Black Friday (days) then scale back to 1× base capacity, paying only for what's used — eliminating year-round over-provisioning costs.

Why this answer

Elasticity is the cloud characteristic that allows resources to be automatically provisioned to handle 50× peak traffic and then de-provisioned when demand subsides, eliminating the need to maintain idle capacity year-round. This contrasts with on-premises infrastructure, where capacity must be statically over-provisioned to handle peak loads, leading to significant cost inefficiency. The ability to scale out and scale in dynamically based on real-time demand is the core enabler of the described cost optimization.

Exam trap

Cisco often tests the distinction between elasticity (dynamic scaling of resources for a single customer) and resource pooling (sharing of resources among multiple customers), leading candidates to confuse the multi-tenant efficiency of pooling with the on-demand scaling characteristic of elasticity.

How to eliminate wrong answers

Option A is wrong because measured service refers to metering and reporting resource consumption for billing and usage tracking, not the ability to dynamically adjust capacity to match demand. Option C is wrong because broad network access describes the capability to access resources from any internet-connected device via standard protocols (e.g., HTTPS, SSH), which is unrelated to scaling infrastructure for peak events. Option D is wrong because resource pooling involves the provider sharing its physical and virtual resources among multiple customers via a multi-tenant model, which improves provider efficiency but does not directly enable a single customer to scale their own resource allocation up and down on demand.

506
MCQmedium

Refer to the exhibit. The IAM policy is applied at the project level. The bucket 'sensitive-data' exists and contains objects. What is the effective access for user alice@example.com?

A.Alice can view objects in all buckets including sensitive-data.
B.Alice can view objects only in non-sensitive buckets, and can view objects in sensitive-data only after 9 AM due to condition.
C.Alice can view objects in all buckets except sensitive-data.
D.Alice can view and modify objects in all buckets.
AnswerA

Alice has the objectViewer role on the project with no condition, so she can list and read objects in any bucket.

Why this answer

The IAM policy grants the 'roles/storage.objectViewer' role to user alice@example.com at the project level. This role allows listing and reading objects in all buckets within the project, including 'sensitive-data'. The condition 'request.time < 9:00 AM' is a denial condition that only applies to the 'sensitive-data' bucket, but because the policy is applied at the project level and the condition is not met (the request is made after 9 AM), the deny effect does not apply, so Alice retains full view access to all buckets.

Exam trap

Google Cloud often tests the nuance that IAM conditions can be used to deny access only when a specific condition is met, and candidates mistakenly assume that any condition automatically restricts access, ignoring that the condition must evaluate to true for the deny to take effect.

How to eliminate wrong answers

Option B is wrong because the condition 'request.time < 9:00 AM' is a deny condition that would block access only if the request occurred before 9 AM; since the scenario does not specify a time, the default assumption is that the request is made at a time when the condition is not met, so Alice can view objects in sensitive-data at any time. Option C is wrong because the IAM policy grants the objectViewer role at the project level, which applies to all buckets, including sensitive-data, unless explicitly denied by a more specific policy; no such denial exists here. Option D is wrong because the assigned role is 'roles/storage.objectViewer', which only allows read (view) access, not write or modify access; modifying objects would require roles like 'roles/storage.objectAdmin' or 'roles/storage.objectCreator'.

507
MCQeasy

A company wants to migrate a legacy monolithic application to Google Cloud with minimal code changes. The application runs on a specific OS version and uses a relational database. Which migration approach is most suitable?

A.Rebuild the application using serverless functions
B.Lift and shift to Compute Engine and Cloud SQL
C.Refactor the application into microservices
D.Replatform to use Cloud Run
AnswerB

Minimal changes; move as-is to VMs and managed database.

Why this answer

Option C is correct because 'Lift and shift' (rehosting) moves the application with minimal changes. Option A is wrong because refactoring requires code changes. Option B is wrong because replatforming may require changes to the platform.

Option D is wrong because rebuilding is a complete rewrite.

Page 6

Page 7 of 7

All pages