Google Cloud Digital Leader (GCDL) — Questions 526600

991 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQmedium

A team uses multiple cloud services and wants to deploy all resources — VPCs, Cloud SQL databases, GKE clusters, and IAM roles — using a declarative, open-source infrastructure-as-code tool that works across multiple cloud providers. Which tool integrates natively with Google Cloud for this purpose?

A.Cloud Deployment Manager — Google's native IaC service.
B.Terraform
C.Cloud Build — it builds and deploys application code.
D.Ansible — it automates server configuration management.
AnswerB

Terraform's Google Cloud provider covers all GCP resources. Open-source, multi-cloud, declarative HCL configuration, state tracking — the standard IaC tool for managing GCP alongside other clouds.

Why this answer

Terraform is the correct choice because it is a declarative, open-source infrastructure-as-code tool that supports multiple cloud providers, including Google Cloud, through its provider plugin architecture. It allows you to manage VPCs, Cloud SQL databases, GKE clusters, and IAM roles using HashiCorp Configuration Language (HCL) and integrates natively with Google Cloud via the google provider.

Exam trap

The trap here is that candidates often confuse Cloud Deployment Manager (a Google-native, proprietary tool) with a multi-cloud solution, or mistake Cloud Build (a CI/CD tool) for an IaC tool, when the question explicitly requires an open-source, multi-cloud declarative IaC tool.

How to eliminate wrong answers

Option A is wrong because Cloud Deployment Manager is Google's native IaC service, but it is not open-source and only works within Google Cloud, not across multiple cloud providers. Option C is wrong because Cloud Build is a CI/CD service for building and deploying application code, not a declarative IaC tool for managing cloud resources like VPCs or databases. Option D is wrong because Ansible is a configuration management and automation tool focused on server provisioning and application deployment, not a declarative IaC tool for managing cloud infrastructure across providers.

527
MCQhard

A company is running a PostgreSQL database on Cloud SQL and needs to ensure high availability with automatic failover in the event of a zone failure. Which configuration should they use?

A.Enable regional persistent disk and configure a standby instance in a different zone.
B.Use point-in-time recovery.
C.Configure connection pooling.
D.Set up a cross-region read replica.
AnswerA

Cloud SQL provides regional persistent disk storage that replicates data across zones, and a standby instance automatically fails over if the primary zone fails.

Why this answer

Option A is correct because enabling regional persistent disk allows the primary and standby Cloud SQL instances to share the same underlying storage across zones. When a zone failure occurs, the standby instance in a different zone automatically takes over with no data loss, providing high availability with automatic failover.

Exam trap

Google Cloud often tests the distinction between high availability (automatic failover within a region) and disaster recovery (manual or cross-region failover), leading candidates to mistakenly choose cross-region read replicas for HA scenarios.

How to eliminate wrong answers

Option B is wrong because point-in-time recovery (PITR) is a backup and restore feature that allows recovering to a specific timestamp, not a mechanism for automatic failover or high availability. Option C is wrong because connection pooling manages database connections to improve performance and reduce overhead, but it does not provide failover or zone redundancy. Option D is wrong because a cross-region read replica is designed for read scaling and disaster recovery across regions, not for automatic failover within the same region; it requires manual promotion and does not provide automatic failover for the primary instance.

528
Multi-Selectmedium

A company has multiple projects and wants to organize them by environment (dev, test, prod) and by team (engineering, marketing, finance). They also need to apply IAM policies that affect all projects in a given environment. Which TWO steps should they take?

Select 2 answers
A.Create separate billing accounts for each environment
B.Use organization policies at the project level
C.Apply IAM policies at the folder level
D.Use labels to group projects by environment
E.Create folders for each environment (dev, test, prod) and place projects in the appropriate folder
AnswersC, E

Policies at the folder level are inherited by all projects in that folder.

Why this answer

Using folders to group projects by environment allows inheritance of IAM policies. Labels are used for cost attribution and filtering, not for policy enforcement.

529
MCQhard

What is DevOps, and how does cloud adoption reinforce DevOps practices?

A.DevOps is a specific programming language designed for cloud applications.
B.DevOps is a culture of collaboration between development and operations teams, reinforced by cloud's managed CI/CD, infrastructure-as-code, and on-demand environments.
C.DevOps means developers take over all IT operations responsibilities, eliminating operations teams.
D.DevOps is only applicable to software startups — traditional enterprises use ITIL for operations.
AnswerB

Cloud enables DevOps by providing tools (Cloud Build, Terraform, Container Registry) and on-demand environments for testing — reducing friction between code and production deployment.

Why this answer

DevOps is a cultural and technical movement that emphasizes collaboration, automation, and integration between software development (Dev) and IT operations (Ops) teams. Cloud adoption reinforces DevOps by providing managed CI/CD services (e.g., AWS CodePipeline, Azure DevOps), infrastructure-as-code tools (e.g., Terraform, AWS CloudFormation), and on-demand environments that enable rapid provisioning, testing, and deployment. This synergy reduces manual overhead and accelerates the software delivery lifecycle.

Exam trap

The GCDL exam often tests the misconception that DevOps is a tool or a role rather than a culture and set of practices, and that cloud adoption is merely about hosting, ignoring how cloud services like managed CI/CD and IaC directly enable DevOps automation.

How to eliminate wrong answers

Option A is wrong because DevOps is not a programming language; it is a set of practices and a cultural philosophy, whereas cloud applications are built using languages like Python, Java, or Go. Option C is wrong because DevOps does not eliminate operations teams; it integrates development and operations roles, often with shared responsibilities, and operations expertise remains critical for monitoring, security, and reliability. Option D is wrong because DevOps is applicable to organizations of all sizes, including traditional enterprises, and ITIL can coexist with DevOps practices (e.g., ITIL for service management, DevOps for agile delivery); the statement that DevOps is only for startups is a common misconception.

530
MCQmedium

A security engineer notices that a Compute Engine instance is running a VM with a public IP that should not be accessible from the internet. They want to ensure this configuration is prevented by default for all future projects in the organization. What should they do?

A.Set an IAM policy to deny compute.instances.create with public IP
B.Define an Organization Policy with the constraint compute.vmExternalIpAccess
C.Create a VPC firewall rule to deny all traffic from the internet to the VM
D.Use Cloud Security Scanner to identify and remediate
AnswerB

This organization policy restricts public IP assignment on VMs across the organization.

Why this answer

Option B is correct because Organization Policies in Google Cloud allow you to set constraints at the organization, folder, or project level to enforce security controls. The `compute.vmExternalIpAccess` constraint specifically prevents VMs from being created with external IP addresses, ensuring that no future Compute Engine instances in the organization can have public IPs by default. This is a preventive control that applies to all new VM creations, unlike IAM policies or firewall rules which are more granular or reactive.

Exam trap

The trap here is that candidates often confuse IAM policies with Organization Policies, thinking that IAM can restrict resource configurations (like public IPs) when it only controls who can perform actions, not the attributes of the resources created.

How to eliminate wrong answers

Option A is wrong because IAM policies control who can perform actions (like `compute.instances.create`), but they cannot restrict the configuration of a resource (such as whether a public IP is assigned) — IAM does not support conditional constraints on resource attributes like external IP assignment. Option C is wrong because a VPC firewall rule can block traffic to the VM, but it does not prevent the VM from having a public IP address; the VM would still be reachable from the internet if the firewall rule is misconfigured or not applied, and it does not enforce a default policy for future projects. Option D is wrong because Cloud Security Scanner is a tool for finding vulnerabilities in web applications (like XSS or CSRF), not for enforcing organizational policies on VM public IP assignment; it is a detective control, not a preventive one.

531
MCQhard

A healthcare company runs its critical application on Google Cloud. The application uses Cloud SQL for patient records, Cloud Storage for medical images, and Pub/Sub for data ingestion. The security team requires that all data at rest be encrypted with a key that is managed and rotated by their on-premises HSM. They also need to ensure that any potential data exfiltration is immediately detected and prevented. Recently, a vulnerability scan revealed that a Cloud SQL instance had a public IP. The team wants to enforce that no Cloud SQL instance can be created with a public IP across the entire organization. Additionally, they need to implement a solution to monitor and alert on any suspicious activity, such as a large download from Cloud Storage. They have a limited budget and cannot afford complex custom solutions. Which combination of Google Cloud services should they use to meet these requirements?

A.Use CMEK with Cloud KMS for encryption, set an Organization Policy to restrict public IPs on Cloud SQL, and configure Cloud Audit Logs with alerting via Cloud Monitoring to detect data exfiltration.
B.Use Cloud External Key Manager (EKM) for encryption, define an Organization Policy constraint to prohibit public IPs on Cloud SQL, deploy Security Command Center with Event Threat Detection to monitor for data exfiltration, and implement VPC Service Controls to limit data access.
C.Use default encryption with Google-managed keys, set an IAM condition to deny public IP on Cloud SQL, and configure Cloud Data Loss Prevention to detect sensitive data exfiltration.
D.Use Cloud HSM for encryption, create a VPC firewall rule to block all incoming traffic to Cloud SQL, and use Cloud Armor to protect against data exfiltration.
AnswerB

EKM integrates with on-prem HSM; Organization Policy enforces no public IPs; SCC with Event Threat Detection detects exfiltration; VPC Service Controls prevent exfiltration.

Why this answer

Option B is correct because Cloud External Key Manager (EKM) allows you to use an external key management system (on-premises HSM) for encrypting data at rest in Google Cloud services like Cloud SQL, Cloud Storage, and Pub/Sub. The Organization Policy constraint `constraints/sql.restrictPublicIp` can enforce that no Cloud SQL instance is created with a public IP. Security Command Center with Event Threat Detection provides out-of-the-box monitoring and alerting for suspicious activities like large downloads from Cloud Storage, while VPC Service Controls adds a data exfiltration prevention layer by restricting data movement outside a defined service perimeter.

Exam trap

Google Cloud often tests the distinction between key management options (CMEK vs. EKM vs. Cloud HSM) and the difference between detection (Cloud Audit Logs, Event Threat Detection) and prevention (VPC Service Controls), leading candidates to choose a solution that only detects but does not prevent data exfiltration.

How to eliminate wrong answers

Option A is wrong because CMEK with Cloud KMS uses keys managed within Google Cloud, not an on-premises HSM, and Cloud Audit Logs with Cloud Monitoring alone cannot prevent data exfiltration—they only provide logging and alerting, not active prevention. Option C is wrong because default encryption uses Google-managed keys, not customer-managed keys from an on-premises HSM, and IAM conditions cannot enforce a restriction on Cloud SQL public IPs at the organization level (that requires an Organization Policy). Option D is wrong because Cloud HSM is a Google-managed HSM service, not an on-premises HSM, and VPC firewall rules cannot block public IP assignment on Cloud SQL (they control network traffic, not resource configuration), while Cloud Armor is a web application firewall, not a data exfiltration detection or prevention tool.

532
MCQeasy

Which Google Cloud service provides a fully managed, serverless data warehouse for petabyte-scale analytics with SQL?

A.Cloud SQL
B.BigQuery
C.Dataproc
D.Dataflow
AnswerB

BigQuery is the correct answer: serverless, highly scalable, SQL-based data warehouse.

Why this answer

BigQuery is Google Cloud's fully managed, serverless data warehouse. It supports SQL queries at petabyte scale with no infrastructure to manage. Cloud SQL is for OLTP, Dataproc is for Hadoop/Spark, and Dataflow is for stream/batch processing.

533
MCQeasy

A startup wants to launch a new mobile app globally. They expect user traffic to be unpredictable and want to only pay for the compute resources they use. Which cloud benefit BEST addresses this need?

A.Global Reach
B.Agility
C.Pay-as-you-go pricing
D.Scalability
AnswerC

Pay-as-you-go means no upfront costs and billing based on consumption, matching the startup's need for cost efficiency.

Why this answer

The pay-as-you-go model allows startups to avoid large upfront capital expenditure and only pay for actual usage, which is ideal for unpredictable workloads.

534
MCQeasy

An organization wants to reduce latency for users in Europe. They plan to deploy their application in a Google Cloud region located in Europe. Which region should they choose?

A.us-central1
B.asia-east1
C.australia-southeast1
D.europe-west1
AnswerD

europe-west1 is in Europe, reducing latency for European users.

Why this answer

europe-west1 is located in Belgium, Europe, providing low latency for European users.

535
Multi-Selecthard

Which TWO of the following cloud characteristics directly enable a business to innovate faster than using traditional IT?

Select 2 answers
A.Global infrastructure that allows launching in new regions quickly
B.Vendor lock-in for long-term contracts
C.Capital expenditure model for budgeting
D.Customizable hardware configurations for optimal performance
E.Self-service provisioning of resources in minutes
AnswersA, E

Expanding to new markets without building data centers accelerates growth.

Why this answer

Option A is correct because a global infrastructure with multiple regions and edge locations allows businesses to deploy applications and services in new geographic areas rapidly, reducing time-to-market compared to building or leasing physical data centers. Option E is correct because self-service provisioning enables developers to spin up resources like virtual machines, databases, or containers in minutes via APIs or console, eliminating the weeks-long procurement and setup cycles of traditional IT, thus accelerating experimentation and iteration.

Exam trap

Google Cloud often tests the misconception that capital expenditure (CapEx) is more predictable and thus faster for innovation, but the trap is that CapEx actually introduces procurement delays and financial friction, whereas cloud's operational expenditure (OpEx) model enables rapid, on-demand scaling without upfront investment.

536
MCQeasy

A company needs to store files that are accessed infrequently (once a quarter) and wants the lowest storage cost. Data retrieval can take a few hours. Which Cloud Storage class should they use?

A.Archive
B.Nearline
C.Coldline
D.Standard
AnswerA

Archive class is the cheapest, designed for data accessed less than once a year with retrieval times up to hours.

Why this answer

Archive storage is the lowest-cost storage class for data accessed less than once a year, with retrieval times up to hours. Coldline is for data accessed less than once a month. Nearline is for data accessed less than once a quarter, but Archive is cheaper.

Standard is for frequently accessed data.

537
MCQmedium

A company runs a batch processing job every night that takes 6 hours on a fixed number of virtual machines. They want to reduce costs without increasing job duration. Which strategy should they use?

A.Use preemptible VMs
B.Increase the number of VMs
C.Purchase committed use contracts
D.Use larger persistent disks
AnswerA

Preemptible VMs are much cheaper and can handle batch jobs if the job is fault-tolerant.

Why this answer

Option C is correct because preemptible VMs are up to 80% cheaper and suitable for fault-tolerant batch jobs. Option A is wrong because persistent disks add cost. Option B is wrong because more VMs increase cost.

Option D is wrong because it is a reserved capacity commitment, which is for predictable workloads and not cheaper for short jobs.

538
MCQhard

A company wants to receive near-real-time notifications when spending in a project exceeds 50%, 75%, and 100% of a monthly budget of $50,000. They also want to automatically disable billing for the project if spending exceeds $60,000. Which configuration should they use?

A.Use the Cost Management dashboard to monitor spending and disable billing manually.
B.Create a budget alert at 100% only and manually disable billing when alerted.
C.Create a budget with thresholds at 50%, 75%, 100% and set the 'disable billing' action on the budget.
D.Create a budget with thresholds at 50%, 75%, 100% and set up a Cloud Function that listens to Pub/Sub messages from the budget to automatically disable billing when a 120% threshold is exceeded.
AnswerD

This is the correct approach: use budget notifications via Pub/Sub to trigger a Cloud Function that disables billing.

Why this answer

Budgets can be set with multiple threshold rules for notifications. However, automatically disabling billing requires a separate automation (e.g., Cloud Functions triggered by Pub/Sub) because budgets do not perform actions beyond notifications and Pub/Sub messages.

539
MCQhard

A multinational corporation needs to establish a private, low-latency connection between their on-premises data center and Google Cloud. The connection must be consistent, reliable, and support at least 10 Gbps throughput. Which solution should they use?

A.Cloud NAT with static IP addresses
B.Dedicated Interconnect
C.Partner Interconnect via a service provider
D.Cloud VPN using IPsec tunnels over the public internet
AnswerB

Dedicated Interconnect provides a direct, private connection with high throughput and low latency.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between an on-premises network and Google Cloud, offering consistent, reliable, low-latency connectivity with throughput options of 10 Gbps or 100 Gbps per link. This meets the requirement for a private, low-latency connection with at least 10 Gbps throughput, as it bypasses the public internet entirely and provides a Service Level Agreement (SLA) for uptime and performance.

Exam trap

Google Cloud often tests the distinction between Dedicated and Partner Interconnect, where candidates mistakenly choose Partner Interconnect for higher throughput, but Dedicated Interconnect is the only option that provides direct, private physical links at 10 Gbps or 100 Gbps without a service provider intermediary.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used for outbound internet access from private instances and does not provide a private, low-latency connection between on-premises and Google Cloud; it is a network address translation service, not a connectivity solution. Option C is wrong because Partner Interconnect relies on a supported service provider and typically offers lower throughput options (e.g., 50 Mbps to 10 Gbps) and may introduce additional latency or dependency on the provider's network, whereas the requirement specifies a direct, private connection with at least 10 Gbps throughput, which Dedicated Interconnect fulfills without a third-party intermediary. Option D is wrong because Cloud VPN uses IPsec tunnels over the public internet, which introduces variable latency, potential packet loss, and lower throughput (typically up to 3 Gbps per tunnel), and does not provide the consistent, reliable, low-latency performance required for a 10 Gbps connection.

540
MCQmedium

A security administrator needs to grant a developer the minimum permissions to create and delete Cloud Storage buckets in a specific project, but NOT allow them to modify the contents of those buckets (e.g., upload or delete objects). Which IAM role should they assign?

A.Storage Admin (roles/storage.admin)
B.Storage Object Admin (roles/storage.objectAdmin)
C.Custom role with storage.buckets.* permissions
D.Project Editor (roles/editor)
AnswerC

A custom role with permissions like storage.buckets.create, storage.buckets.delete, and storage.buckets.get allows bucket management without object access.

Why this answer

Storage Admin (roles/storage.admin) grants full control over buckets and objects, which is too permissive. The correct approach is to create a custom role with only storage.buckets.* permissions, or use predefined roles like Storage Object Admin? Actually, Storage Object Admin allows object management. The question requires bucket management only.

A custom role with storage.buckets.create and storage.buckets.delete (and maybe storage.buckets.get) is necessary; predefined roles do not separate bucket and object permissions perfectly. But among standard roles, 'Storage Admin' is too broad; there is no predefined role that only allows bucket management without object access. So the answer must be a custom role.

541
MCQeasy

What is an API (Application Programming Interface), and why is it fundamental to cloud services and digital transformation?

A.An API is a type of database that stores application settings.
B.An API is a standardized interface that allows software components to communicate, enabling programmatic access to cloud services and digital ecosystem integration.
C.An API is a security protocol that encrypts data between applications.
D.APIs are only used by large technology companies and are too complex for small businesses.
AnswerB

APIs are the 'connective tissue' of digital systems. Cloud services expose APIs for programmatic control. Businesses build ecosystems by composing and exposing APIs — the foundation of digital transformation.

Why this answer

Option B is correct because an API is a standardized interface (often RESTful, using HTTP methods like GET, POST, PUT, DELETE) that enables software components to communicate and exchange data. In cloud services, APIs are fundamental because they allow programmatic access to resources (e.g., AWS EC2, Azure VMs) without manual intervention, forming the backbone of automation, orchestration, and integration in digital transformation initiatives.

Exam trap

Google Cloud often tests the misconception that an API is a database or a security protocol, so candidates must remember that APIs are primarily about standardized communication and programmability, not data storage or encryption.

How to eliminate wrong answers

Option A is wrong because an API is not a database; it is an interface for communication, whereas databases (e.g., SQL, NoSQL) store and manage data. Option C is wrong because an API is not inherently a security protocol; while APIs can use security measures like OAuth 2.0 or TLS, their primary purpose is interoperability, not encryption. Option D is wrong because APIs are used by organizations of all sizes, including small businesses, to integrate cloud services, SaaS applications, and microservices, and are not exclusive to large technology companies.

542
MCQmedium

A company wants to use machine learning to analyze customer reviews without building and training models from scratch. They need a pre-trained model that can classify sentiment. Which Google Cloud service should they use?

A.Cloud Natural Language API
B.Vertex AI
C.AutoML Natural Language
D.Dialogflow
AnswerA

The API offers pre-trained sentiment analysis out of the box.

Why this answer

Cloud Natural Language API provides pre-trained models for sentiment analysis, entity recognition, etc. AutoML Natural Language requires custom training. Vertex AI is a platform for building custom models.

Dialogflow is for conversational interfaces.

543
Multi-Selecthard

A company wants to reduce costs for its batch processing jobs that run nightly on Compute Engine. The jobs are fault-tolerant and can be interrupted. They are considering using preemptible VMs. Which THREE statements about preemptible VMs are true?

Select 3 answers
A.Preemptible VMs can be migrated to regular VMs if preemption occurs.
B.Preemptible VMs do not offer live migration.
C.Preemptible VMs provide the same SLA as standard VMs.
D.Preemptible VMs can run for up to 24 hours before they may be terminated.
E.Preemptible VMs are significantly cheaper than standard VMs.
AnswersB, D, E

They are terminated on preemption, no live migration.

Why this answer

Preemptible VMs can be terminated at any time within 24 hours (typical max 24h). They are significantly cheaper than regular VMs. They cannot be migrated to regular VMs; you must recreate them.

They do not offer live migration. They are suitable for fault-tolerant batch jobs.

544
MCQmedium

A solutions architect is explaining why using managed cloud database services (like Cloud SQL or Cloud Spanner) is preferable to running a database on a self-managed virtual machine in most cases. What is the primary operational advantage of managed database services over self-managed databases on VMs?

A.Managed databases are always significantly cheaper than self-managed databases on VMs
B.Managed database services automate operational tasks like backups, patching, HA failover, and scaling — freeing engineering teams to focus on application development rather than database administration
C.Managed databases guarantee better query performance than self-managed databases for all workload types
D.Managed databases provide stronger data encryption than self-managed databases on VMs
AnswerB

This is the core value proposition of managed databases. The cloud provider handles: automated daily backups with point-in-time recovery, OS and database software patching, automatic failover for high availability, and storage scaling. Engineering teams avoid the specialized DBA work required for self-managed databases.

Why this answer

Option B is correct because managed database services like Cloud SQL and Cloud Spanner abstract away the operational overhead of database administration. They automate critical tasks such as automated backups, patch management, high-availability failover, and horizontal scaling, which allows engineering teams to focus on application logic rather than managing database servers, replication, or storage.

Exam trap

The GCDL exam often tests the misconception that managed services are always cheaper or always faster, when the primary advantage is operational automation and reduced administrative burden, not cost or performance guarantees.

How to eliminate wrong answers

Option A is wrong because managed databases are not always significantly cheaper; they often have higher per-hour costs than self-managed VMs, though they can reduce total cost of ownership by eliminating administrative labor and infrastructure overhead. Option C is wrong because managed databases do not guarantee better query performance for all workload types; performance depends on instance size, query optimization, and workload characteristics, and self-managed databases can be tuned more aggressively for specific use cases. Option D is wrong because both managed and self-managed databases can implement strong encryption (e.g., AES-256 at rest, TLS 1.3 in transit); encryption is a configuration choice, not an inherent advantage of managed services.

545
MCQeasy

A developer is troubleshooting a slow response from a Cloud Run service. Which Google Cloud service can they use to trace requests across microservices?

A.Cloud Profiler
B.Cloud Trace
C.Cloud Logging
D.Cloud Debugger
AnswerB

Cloud Trace collects latency data from distributed systems.

Why this answer

Cloud Trace is the correct service because it is specifically designed for distributed tracing, collecting latency data from applications and displaying it in a trace timeline. It can trace requests as they propagate across multiple microservices, including Cloud Run services, by using trace context propagation headers (e.g., `X-Cloud-Trace-Context`). This allows the developer to identify bottlenecks and slow components in a request path.

Exam trap

The trap here is that candidates often confuse Cloud Trace with Cloud Logging, thinking that log aggregation alone can reconstruct request paths, but Cloud Trace is the only service that provides distributed tracing with explicit span context propagation across microservices.

How to eliminate wrong answers

Option A is wrong because Cloud Profiler is a statistical, low-overhead profiler that identifies which code paths consume the most CPU or memory, not a tool for tracing individual request flows across microservices. Option C is wrong because Cloud Logging aggregates and stores log entries but does not provide end-to-end request tracing or visualize the path of a single request across services. Option D is wrong because Cloud Debugger allows you to inspect the state of a running application at a specific code point without stopping it, but it does not trace request propagation or measure latency across services.

546
Multi-Selecthard

Which THREE components should a company include in their architecture to design a global web application with low latency for users worldwide?

Select 3 answers
A.Cloud CDN.
B.Anycast IP addressing.
C.External HTTP(S) Load Balancer.
D.Backend buckets for static content.
E.Regional internal load balancer.
AnswersA, B, C

Cloud CDN caches content at edge locations worldwide, reducing latency for users.

Why this answer

A Cloud CDN caches content at edge locations worldwide, reducing latency by serving users from a nearby point of presence (PoP). This is essential for a global web application because it minimizes the round-trip time for static and dynamic content, directly addressing the requirement for low latency across geographically distributed users.

Exam trap

The trap here is that candidates often confuse backend buckets as a global latency solution, but they are merely a storage backend that must be paired with a CDN or load balancer to achieve low latency worldwide.

547
MCQeasy

A company wants to replace its VPN-based remote access with a solution that grants access based on user identity, device security status, and context (e.g., location, IP). Which Google Cloud service should they use?

A.BeyondCorp Enterprise
B.Cloud Armor
C.Identity-Aware Proxy (IAP)
D.Cloud VPN
AnswerA

BeyondCorp Enterprise is Google's zero-trust solution that replaces VPN with identity- and context-aware access.

Why this answer

BeyondCorp Enterprise provides zero-trust remote access without a VPN, using identity and context-aware access policies.

548
Multi-Selecthard

A company is building a microservices architecture on Google Kubernetes Engine (GKE). They need to expose services externally with HTTPS, distribute traffic across the cluster, and protect against DDoS attacks. Which THREE Google Cloud services should they combine? (Choose THREE)

Select 3 answers
A.Cloud DNS
B.VPC firewall rules
C.Cloud CDN
D.Cloud Armor
E.Cloud Load Balancing
AnswersC, D, E

Cloud CDN caches content and helps mitigate DDoS by absorbing traffic.

Why this answer

Cloud Load Balancing distributes external traffic, Cloud Armor provides DDoS and WAF protection, and Cloud CDN caches content and absorbs some DDoS. Cloud DNS resolves names but is not for traffic distribution. VPC firewall rules operate at network layer, not application.

549
MCQhard

A security engineer needs to analyze network traffic for malicious payloads and anomalies in real-time across multiple VPC networks in a project. The solution must be managed and not require deploying third-party appliances. Which service should they use?

A.Security Command Center
B.Cloud Armor
C.Cloud IDS
D.VPC Flow Logs
AnswerC

Cloud IDS is a managed intrusion detection service that analyzes traffic payloads for threats.

Why this answer

Cloud IDS provides managed intrusion detection across VPC networks, analyzing traffic for threats like malware and anomalies.

550
MCQhard

A company is using Cloud SQL for MySQL and notices that read queries are becoming slow as the application scales. They want to offload read traffic from the primary instance to improve performance. Which Cloud SQL feature should they enable?

A.Automatic failover replicas
B.Connection pooling
C.Point-in-time recovery
D.Read replicas
AnswerD

Read replicas allow distributing read queries to replicas, improving scalability.

Why this answer

Cloud SQL read replicas are read-only copies of the primary instance that can serve read traffic, reducing load on the primary and improving query performance.

551
MCQmedium

A technology company runs its containerized microservices on Google Kubernetes Engine (GKE). The development team frequently pushes new container images to Container Registry, and those images are deployed to a production cluster. The security team recently discovered that a few running containers have critical vulnerabilities from outdated base images. They want to enforce a policy that only vulnerability-scanned and approved images can be deployed in the production cluster. The team uses Cloud Build for CI/CD and Container Analysis for vulnerability scanning. Which solution should they implement to meet this requirement?

A.Use Cloud Security Scanner to scan the production cluster for vulnerabilities.
B.Enable Cloud Asset Inventory to monitor image vulnerabilities across projects.
C.Configure Cloud Build to run a vulnerability scan step before pushing images to Container Registry.
D.Enable Binary Authorization with a policy that requires attestations from Container Analysis for all deployments in the production cluster.
AnswerD

Binary Authorization ensures only verified images are deployed by requiring attestations from approved authorities like Container Analysis.

Why this answer

Binary Authorization enforces deployment-time policies that require signed attestations from trusted authorities (like Container Analysis) before an image can be deployed on GKE. By configuring a policy that mandates an attestation from Container Analysis (which performs vulnerability scanning), only images that have been scanned and approved can be deployed, directly meeting the requirement to block containers with critical vulnerabilities.

Exam trap

The trap here is that candidates confuse scanning images (which only identifies vulnerabilities) with enforcing a policy that blocks deployment of vulnerable images, leading them to choose a scanning-only option (like C) instead of the policy enforcement mechanism (Binary Authorization).

How to eliminate wrong answers

Option A is wrong because Cloud Security Scanner is designed to find web application vulnerabilities (e.g., XSS, SQLi) in App Engine, Compute Engine, and GKE services, not to enforce deployment policies or scan container images for OS-level vulnerabilities. Option B is wrong because Cloud Asset Inventory provides a historical view of cloud resources and their metadata (including vulnerability findings from Container Analysis), but it cannot enforce a policy that blocks deployments; it is a monitoring and inventory tool, not a policy enforcement mechanism. Option C is wrong because running a vulnerability scan step before pushing images to Container Registry only ensures images are scanned at build time, but it does not prevent a developer from bypassing the scan or deploying an older, unscanned image; it lacks the deployment-time enforcement that Binary Authorization provides.

552
MCQhard

An organization stores sensitive data in BigQuery. They need to restrict access to specific columns based on user role, while allowing analysis at the dataset level. Which feature should they use?

A.BigQuery row-level security
B.Column-level access control using authorized views or taxonomy policies
C.IAM roles at the dataset level with fine-grained permissions
D.Cloud Data Loss Prevention (DLP) to mask data
AnswerB

Authorized views can restrict column access, and BigQuery column-level security with taxonomy policies can be used.

Why this answer

Option B is correct because BigQuery column-level access control, implemented through authorized views or taxonomy policies (via Data Catalog), allows restricting access to specific columns while preserving dataset-level analysis permissions. Authorized views use SQL logic to expose only permitted columns, and taxonomy policies apply fine-grained access controls at the column level without requiring separate datasets.

Exam trap

Google Cloud often tests the distinction between row-level and column-level access controls, and the trap here is that candidates confuse row-level security (which filters rows) with column-level security (which restricts columns), or mistakenly think IAM dataset-level roles can achieve fine-grained column restrictions.

How to eliminate wrong answers

Option A is wrong because BigQuery row-level security restricts access to specific rows based on filters, not columns, and does not address column-level restrictions. Option C is wrong because IAM roles at the dataset level provide coarse-grained access to entire tables or datasets, but cannot restrict access to individual columns within a table. Option D is wrong because Cloud Data Loss Prevention (DLP) is used for data discovery, classification, and masking of sensitive data, but it does not enforce persistent column-level access control for ongoing query access; it is a scanning and transformation tool, not an access control mechanism.

553
MCQmedium

A cloud team receives an alert that a critical production service's error rate has spiked. Following incident response best practices, what is the correct first priority action?

A.Identify and fix the root cause before taking any other action to ensure the fix is complete
B.Mitigate user impact immediately (e.g., rollback, traffic rerouting, scaling) while beginning parallel investigation of the root cause
C.Wait to understand the full scope of the issue and inform all stakeholders before taking any technical action
D.Escalate to senior leadership and wait for their approval before making any production changes
AnswerB

Mitigation first is the correct incident response approach. Stop the bleeding before diagnosing the cause. If a recent deployment caused the spike, roll back immediately. If it's a capacity issue, scale up. Investigation into root cause runs in parallel but mitigation is prioritized.

Why this answer

Option B is correct because incident response best practices prioritize reducing user impact first. In Google Cloud, this could involve rolling back a deployment via Cloud Deploy, rerouting traffic with a load balancer, or scaling up instances with Managed Instance Groups, all while a parallel investigation into the root cause begins. This aligns with the SRE principle of 'error budget' and the 'mitigate before diagnose' approach.

Exam trap

The trap here is that candidates confuse 'root cause analysis' with 'first response' — Google Cloud often tests the principle that immediate mitigation (e.g., rollback, scaling) takes precedence over diagnosis, even if the fix is temporary.

How to eliminate wrong answers

Option A is wrong because it violates the incident response principle of 'stop the bleeding' first; waiting to fix the root cause before mitigating impact prolongs user downtime and can violate SLAs. Option C is wrong because waiting to understand the full scope before taking action delays mitigation, increasing user impact and potentially breaching SLOs; parallel investigation is key. Option D is wrong because escalating for approval before acting introduces unnecessary latency; incident response requires immediate technical action to restore service, with post-incident review for leadership.

554
MCQeasy

A retail company wants to migrate its on-premises e-commerce platform to Google Cloud. The application is stateless and runs on virtual machines. The company wants to minimize operational overhead and allow the application to automatically scale based on CPU utilization. Which Google Cloud service should they use?

A.Google Kubernetes Engine (GKE)
B.Cloud Run
C.Compute Engine with managed instance groups and autoscaling
D.App Engine Standard Environment
AnswerC

Allows automatic scaling based on CPU utilization with low operational overhead.

Why this answer

Option C is correct because the application runs on virtual machines and is stateless, making Compute Engine with managed instance groups and autoscaling the most direct fit. Managed instance groups automatically handle scaling based on CPU utilization without requiring containerization or code changes, minimizing operational overhead while preserving the existing VM-based architecture.

Exam trap

The trap here is that candidates often choose GKE or Cloud Run because they associate 'autoscaling' with Kubernetes or serverless, but the question specifies 'virtual machines' and 'minimize operational overhead,' which points to a VM-native solution like Compute Engine with MIGs, not containerization or serverless platforms.

How to eliminate wrong answers

Option A is wrong because Google Kubernetes Engine (GKE) requires containerizing the application, which adds operational overhead for managing clusters and containers, contradicting the goal of minimizing overhead. Option B is wrong because Cloud Run is a serverless platform for containerized applications that scales based on HTTP requests, not CPU utilization, and does not support virtual machines. Option D is wrong because App Engine Standard Environment is a fully managed platform for specific runtimes (e.g., Python, Java) and does not support custom virtual machines or CPU-based autoscaling for arbitrary VM images.

555
MCQhard

An organization has a folder for each department, with multiple projects under each folder. The security team wants to deny the creation of VMs with public IPs in all projects under the 'production' folder, except for the 'web-server' project where public IPs are required. How can they implement this using IAM and Organization Policies?

A.Apply a deny policy at the folder level, then use tags with organization policy conditional enforcement to allow the exception project.
B.Apply an allow policy at the project level and a deny policy at the resource level.
C.Apply a deny policy at the organization node and an allow policy at the project level.
D.Use IAM roles to restrict VM creation only in the production folder.
AnswerA

Folder-level deny with tag-based exception allows the specific project.

Why this answer

Set an organization policy at the folder level to deny public IPs, then create a policy tag to allow public IPs on the specific project.

556
Multi-Selectmedium

A company is building a real-time analytics pipeline on Google Cloud. They need to ingest streaming data from IoT devices, process it with low latency, and then store the results for real-time querying. Which TWO services should they use? (Choose TWO.)

Select 2 answers
A.Cloud Pub/Sub
B.Cloud Storage
C.Cloud Dataflow
D.Cloud Functions
E.BigQuery
AnswersA, C

Pub/Sub is a scalable messaging service for ingesting streaming data from IoT devices.

Why this answer

Pub/Sub ingests streaming data reliably, and Dataflow processes it with low latency. Other options are not suitable for real-time streaming analytics.

557
MCQeasy

An organization wants to group related projects under a common parent for policy enforcement and cost tracking. Which GCP resource hierarchy level should be used to group several projects that belong to the same business unit?

A.Organization node
B.Folder
C.Project
D.Resource
AnswerB

Folders group projects and other folders, enabling hierarchical policy inheritance.

Why this answer

Folders are used to group projects (and other folders) into a hierarchy for applying policies and organizing resources by department, team, or environment.

558
MCQmedium

An engineering team uses the command above to create an instance for a batch data processing job that runs nightly and can tolerate interruptions. What business transformation benefit does using the `--preemptible` flag provide?

A.Lower cost for fault-tolerant workloads, enabling more experimentation
B.Higher reliability for critical applications
C.Better performance due to dedicated hardware
D.Enhanced security through automatic patching
AnswerA

Cost savings allow businesses to run more experiments with the same budget.

Why this answer

The `--preemptible` flag creates a preemptible VM instance that can be terminated by Google Cloud at any time, typically after 24 hours, but at a significantly lower cost (up to 60-80% discount). For batch data processing jobs that run nightly and can tolerate interruptions, this cost savings directly enables more experimentation and iterative development because teams can run more jobs or larger datasets for the same budget, accelerating innovation and business transformation.

Exam trap

Google Cloud often tests the misconception that preemptible instances are for reliability or performance, when in fact they are a cost-optimization feature specifically for fault-tolerant, interruptible workloads.

How to eliminate wrong answers

Option B is wrong because preemptible instances are less reliable — they can be terminated at any time, making them unsuitable for critical applications that require high availability. Option C is wrong because preemptible instances do not provide dedicated hardware; they run on shared capacity that can be reclaimed, and performance may vary due to potential preemption. Option D is wrong because the `--preemptible` flag has no relation to security or automatic patching; those are managed separately through OS patch management or container image updates.

559
MCQeasy

A company wants to ensure that their customer data stored in BigQuery is encrypted at rest using customer-managed encryption keys (CMEK). Which Google Cloud service should they use to manage these keys?

A.Cloud HSM
B.Identity-Aware Proxy (IAP)
C.Cloud Key Management Service (Cloud KMS)
D.Secret Manager
AnswerC

Cloud KMS is the key management service for CMEK, allowing customers to control encryption keys.

Why this answer

Cloud Key Management Service (Cloud KMS) allows customers to create, manage, and use encryption keys, including CMEK for BigQuery and other GCP services.

560
MCQmedium

A startup wants to launch a social media app globally. They have no existing IT infrastructure and very limited capital. The app will experience unpredictable traffic patterns, with usage expected to rapidly grow after viral campaigns. They need low latency for users across North America, Europe, and Asia. The development team is small and wants to focus on coding rather than operations. They also need to store user-generated content like images and videos. The CTO is evaluating whether to build on-premises or use cloud services. Which approach best meets their needs?

A.Deploy a single large virtual machine in one region and rely on a CDN to serve content globally.
B.Build the app on Compute Engine with managed instance groups, use Cloud CDN for global low-latency delivery, and Cloud Storage for user content.
C.Purchase and configure servers in a single colocation facility, and use a content delivery network (CDN) for static assets.
D.Use a hybrid cloud model: keep a small on-premises server for core features and burst to the cloud for extra capacity.
AnswerB

Provides autoscaling, global reach, and fully managed services, aligning with startup needs.

Why this answer

Option B is correct because it leverages Google Cloud's fully managed services to meet the startup's needs: Compute Engine with managed instance groups provides auto-scaling for unpredictable traffic, Cloud CDN ensures low-latency global content delivery, and Cloud Storage offers scalable, durable storage for user-generated content. This serverless-like approach minimizes operational overhead, allowing the small team to focus on coding.

Exam trap

Google Cloud often tests the misconception that a CDN alone can solve global latency for a dynamic app, but candidates must recognize that CDNs only cache static content and do not reduce latency for dynamic requests, which require compute resources close to the user.

How to eliminate wrong answers

Option A is wrong because a single large VM in one region creates a single point of failure and cannot provide low latency across North America, Europe, and Asia; a CDN only caches static content, not dynamic app logic, so users far from that region will experience high latency. Option C is wrong because purchasing and configuring servers in a single colocation facility requires significant upfront capital and ongoing operational management, contradicting the limited capital and small team constraints; a CDN for static assets does not address dynamic request latency or auto-scaling for viral traffic spikes. Option D is wrong because a hybrid cloud model still requires maintaining on-premises servers, which incurs capital expenditure and operational overhead, and the core features running on-premises would suffer from latency for global users; it also fails to provide the fully managed, auto-scaling infrastructure needed for unpredictable growth.

561
MCQeasy

A developer accidentally commits an application's Google Cloud service account key to a public GitHub repository. The key is valid and grants access to production resources. What is the correct immediate response?

A.Delete the commit from GitHub history using git rebase; the key is safe once removed from the repository
B.Immediately revoke/delete the exposed service account key in Google Cloud IAM, review Cloud Audit Logs for unauthorized access, and generate a new key distributed through secure channels
C.Change the service account's permissions to read-only to limit the damage from potential misuse
D.Send an internal email informing the security team and wait for their guidance before taking any action
AnswerB

This is the complete correct response: (1) Revoke the key immediately to stop any ongoing unauthorized access. (2) Review Admin Activity and Data Access audit logs to determine if the key was used after exposure. (3) Issue a new key through a secure distribution channel (ideally Secret Manager, not environment variables). Time to revocation is critical.

Why this answer

Option B is correct because the immediate priority is to invalidate the exposed credential to prevent unauthorized access to production resources. Revoking the key in Google Cloud IAM ensures it can no longer be used for authentication, while reviewing Cloud Audit Logs helps identify any potential misuse. Generating a new key and distributing it securely restores access for legitimate applications.

Exam trap

The trap here is that candidates may think removing the key from the repository (Option A) is sufficient, but they overlook that the key remains valid in Google Cloud and can still be used by anyone who already obtained it.

How to eliminate wrong answers

Option A is wrong because deleting the commit from GitHub history does not invalidate the key; anyone who already cloned or forked the repository still has access to the key, and the key remains valid in Google Cloud until explicitly revoked. Option C is wrong because changing the service account's permissions to read-only does not prevent an attacker from using the key to authenticate; the key itself is still valid and could be used for any action the service account is allowed, including reading sensitive data. Option D is wrong because waiting for guidance delays the critical step of revoking the exposed key, increasing the window of opportunity for unauthorized access; immediate action is required to contain the breach.

562
MCQhard

A company runs an e-commerce platform on Google Kubernetes Engine (GKE) using autoscaling. They have a baseline workload and occasional traffic spikes during promotions. They configured a Horizontal Pod Autoscaler (HPA) for their web application pods and a Cluster Autoscaler for the node pool. The HPA targets 70% CPU utilization. During a recent sales event, traffic exceeded expectations. The operations team observed that the HPA increased the desired number of replicas to 50, but only 20 pods were running. The remaining 30 pods were in 'Pending' status. The Cluster Autoscaler logs show repeated messages: 'no capacity to scale up node pool'. The node pool is configured with a maximum of 10 nodes, each with 4 vCPUs, and currently 8 nodes are running. The team checked the node pool's current utilization and found that nodes are near capacity. What should the team do to ensure the application scales correctly during future events?

A.Increase the HPA target CPU utilization to 90% to reduce the number of replicas needed.
B.Reduce the pod resource requests for CPU so that more pods can fit on existing nodes.
C.Increase the maximum number of nodes in the node pool to allow more capacity.
D.Enable extra capacity by creating a second node pool with preemptible VMs.
AnswerC

The node pool has a max of 10 nodes; increasing this limit allows the Cluster Autoscaler to provision additional nodes, resolving the pending pods.

Why this answer

The HPA requested 50 replicas, but only 20 could be scheduled because the existing 8 nodes (each with 4 vCPUs) are near capacity. The Cluster Autoscaler cannot add more nodes because the node pool is capped at 10 nodes. Increasing the maximum number of nodes in the node pool (Option C) allows the Cluster Autoscaler to provision additional nodes to accommodate the pending pods, enabling the HPA to scale as needed.

Exam trap

Google Cloud often tests the misconception that adjusting HPA thresholds or pod resource requests alone can solve capacity issues, when the real bottleneck is the node pool's maximum node limit, which must be increased to allow the Cluster Autoscaler to add nodes.

How to eliminate wrong answers

Option A is wrong because increasing the HPA target CPU utilization to 90% would reduce the number of replicas triggered by CPU, but the underlying capacity shortage remains; pods would still be pending if the node pool cannot grow. Option B is wrong because reducing pod CPU requests might allow more pods per node, but it does not address the node pool's hard limit of 10 nodes; once nodes are full, the Cluster Autoscaler still cannot add more nodes. Option D is wrong because creating a second node pool with preemptible VMs could provide additional capacity, but preemptible VMs can be terminated at any time (within 24 hours) and are not suitable for handling critical traffic spikes; the more direct and reliable fix is to increase the maximum node count in the existing node pool.

563
MCQmedium

A company's data strategy lead explains that their digital transformation is built on a 'data-first culture.' A manager asks what this means practically. Which description best captures what a data-first culture looks like in a cloud-transformed organization?

A.Only the data science team accesses data, and all business decisions are escalated to them for analysis before action
B.All business decisions — from executive strategy to daily operational choices — are informed by data evidence, enabled by self-service analytics tools that make data accessible organization-wide, with governance ensuring data quality and trust
C.The company collects as much data as possible and stores it indefinitely in cloud storage, regardless of whether it is used
D.All data is kept confidential from business users to protect privacy, with only the CTO having access to analytics
AnswerB

This describes a true data-first culture. Decision-making at every level is grounded in evidence. Cloud-based self-service BI tools (like Looker Studio) make this accessible without requiring SQL skills. Data governance ensures the data is trustworthy. This is the cultural and operational transformation, not just a technology deployment.

Why this answer

Option B is correct because a data-first culture in a cloud-transformed organization means that every decision, from strategic to operational, is driven by data evidence. This is enabled by cloud-native self-service analytics tools (e.g., Amazon QuickSight, Google Looker) that democratize access to data across the organization, while cloud governance frameworks (e.g., AWS Lake Formation, Azure Purview) ensure data quality, lineage, and trust. This contrasts with siloed or hoarding approaches, leveraging cloud elasticity and pay-as-you-go models to make data accessible and actionable.

Exam trap

Google Cloud often tests the misconception that a data-first culture means 'collect all data' or 'restrict access to experts,' when the actual cloud transformation principle is about governed, self-service access that empowers all users while maintaining quality and trust.

How to eliminate wrong answers

Option A is wrong because it describes a centralized, bottlenecked model where only the data science team accesses data, which contradicts the 'data-first' principle of democratized access and self-service analytics in the cloud. Option C is wrong because it promotes indiscriminate data collection and indefinite storage, which violates cloud cost optimization (e.g., lifecycle policies, S3 Intelligent-Tiering) and data governance best practices like data minimization and retention policies. Option D is wrong because it restricts data access to only the CTO, which is the opposite of a data-first culture that requires broad, governed access to empower all business users, not just a single executive.

564
MCQmedium

An enterprise wants employees to access internal web applications securely from any location (including remote work from home) without using a VPN. Employees should only access apps they're authorized for, based on their identity and device context. Which Google Cloud service enables this zero-trust access model?

A.Cloud VPN with split tunneling for internal application access.
B.Cloud Identity-Aware Proxy (IAP)
C.Cloud Armor IP allowlist to restrict access to corporate office IP ranges.
D.Cloud Load Balancing with SSL termination.
AnswerB

IAP implements BeyondCorp zero-trust: users authenticate with their Google identity, device context is checked, and only authorized users access specific applications — no VPN or network-level access required.

Why this answer

Cloud Identity-Aware Proxy (IAP) is the correct service because it enforces zero-trust access by verifying a user's identity and device context before granting access to internal web applications, without requiring a VPN. It uses Google's BeyondCorp model to authenticate and authorize each request based on identity and context, allowing secure access from any location.

Exam trap

The trap here is that candidates often confuse network-level security (like VPNs or IP allowlists) with identity-aware access control, assuming that any encrypted tunnel or IP restriction satisfies zero-trust requirements, but zero-trust fundamentally requires per-request identity and context verification, not just network perimeter controls.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with split tunneling still requires a VPN tunnel and does not provide identity- or device-context-based authorization; it only encrypts traffic and routes it to the internal network. Option C is wrong because Cloud Armor IP allowlisting restricts access based on source IP addresses, which fails for remote workers with dynamic IPs and does not verify user identity or device context. Option D is wrong because Cloud Load Balancing with SSL termination only handles traffic distribution and decryption, not authentication or authorization based on user identity and device posture.

565
MCQhard

An administrator wants to enforce that all API calls to a specific Cloud Storage bucket must come from a limited range of IP addresses. Which configuration should they use?

A.Cloud Armor security policy
B.Identity-Aware Proxy (IAP)
C.VPC Service Controls with an access level that includes the IP range
D.VPC firewall rules
AnswerC

VPC Service Controls can restrict API access based on context including IP address.

Why this answer

VPC Service Controls can restrict access based on IP addresses via access levels. IAP is for user authentication. Cloud Armor is for HTTP(S) load balancing.

Firewall rules apply to network traffic, not API access to Cloud Storage.

566
MCQmedium

A company wants to proactively identify underutilized Compute Engine VMs (high provisioned capacity but low actual usage) to reduce costs. Which Google Cloud tool provides recommendations for right-sizing VMs?

A.Cloud Monitoring — set alerts for low CPU utilization.
B.Active Assist Recommender — ML-based VM rightsizing recommendations.
C.Cloud Asset Inventory — lists all VMs and their configurations.
D.Cloud Billing budgets — set spending limits to prevent overspend.
AnswerB

Active Assist analyzes historical VM utilization and recommends specific machine type downgrades (e.g., n2-standard-8 → n2-standard-4) with projected savings. Available in the console and via API.

Why this answer

Google Cloud's Active Assist provides intelligent recommendations including VM rightsizing recommendations. These are powered by ML analysis of actual VM CPU and memory utilization over the past 8 days. The recommendations appear in the Cloud Console (Compute Engine → VM instances → Recommendations) and in the Recommender API.

Rightsizing recommendations suggest optimal machine types based on observed usage, often identifying VMs that can be downsized to save significant costs.

567
Multi-Selectmedium

A company is migrating its on-premises PostgreSQL database to Google Cloud. They need a managed service that is fully compatible with PostgreSQL, offers high availability, and provides automated backups. Which TWO Google Cloud services should they consider?

Select 2 answers
A.Cloud SQL
B.Memorystore
C.AlloyDB
D.Filestore
E.Cloud Bigtable
AnswersA, C

Cloud SQL provides managed PostgreSQL with automated backups, replication, and high availability.

Why this answer

Cloud SQL offers managed PostgreSQL with automated backups and high availability (regional failover replicas). AlloyDB is PostgreSQL-compatible and provides 4x faster transaction processing than standard PostgreSQL, with built-in high availability. Both are appropriate.

Filestore is file storage, Memorystore is a cache, and Bigtable is NoSQL.

568
Multi-Selecteasy

A startup wants to build a serverless event-driven application where a file upload to Cloud Storage triggers a function that sends a notification email. Which TWO services are essential? (Choose 2)

Select 2 answers
A.Cloud Scheduler
B.Cloud Tasks
C.Cloud Functions
D.Cloud Run
E.Cloud Pub/Sub
AnswersC, E

Runs code in response to Cloud Storage events.

Why this answer

Cloud Functions is triggered by Cloud Storage events, and Cloud Pub/Sub can decouple the function from email sending. Alternatively, using Cloud Functions directly, but Pub/Sub is typical for async notifications. Cloud Scheduler is for cron jobs, Cloud Run is not event-driven, and Cloud Tasks is for task queuing.

569
Matchingmedium

Match each Google Cloud security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identity and Access Management – fine-grained access control

Key Management Service for encryption keys

DDoS protection and web application firewall

Perimeter security to prevent data exfiltration

Centralized vulnerability and threat monitoring

Why these pairings

These are core security services in Google Cloud.

570
Multi-Selecthard

A company is planning to migrate a legacy monolithic Linux application to Google Cloud. They want to minimize changes initially but have the flexibility to modernize later. Which three approaches should they consider?

Select 3 answers
A.Use Cloud Run for stateless containers
B.Replatform to App Engine Flexible Environment
C.Use Migrate for Anthos
D.Refactor to microservices on GKE
E.Rehost on Compute Engine using a custom image
AnswersA, C, E

If the application can be containerized, Cloud Run allows running containers without managing infrastructure, with minimal changes, and offers scalability.

Why this answer

Option A is correct because Cloud Run allows you to deploy stateless containers without modifying the application code, minimizing initial changes while providing serverless scalability and the flexibility to modernize later by refactoring into microservices. This approach supports containerized workloads from a legacy monolithic app with minimal lift-and-shift effort.

Exam trap

Google Cloud often tests the distinction between 'minimal changes' (rehosting or container lift-and-shift) and 'modernization' (refactoring or replatforming), leading candidates to incorrectly select options that require significant code or architecture changes.

571
Multi-Selecthard

A team is designing a CI/CD pipeline for a microservices application. They want to automatically build container images from source code, store them securely, and deploy to GKE. Which THREE services should they include? (Choose three.)

Select 3 answers
A.Cloud Build
B.Cloud Storage
C.Cloud Run
D.Artifact Registry
E.GKE
AnswersA, D, E

Cloud Build builds the container images.

Why this answer

Cloud Build builds container images from source; Artifact Registry stores the images; GKE is the deployment target. Cloud Deploy could also be used for continuous delivery, but the three most essential are Build, Artifact Registry, and GKE.

572
MCQhard

A customer wants to run a containerized application on Google Cloud with zero downtime during updates and the ability to roll back quickly. Which service and deployment strategy should they use?

A.Compute Engine with a load balancer and instance group update
B.Cloud Run with manual traffic splitting
C.Google Kubernetes Engine with rolling updates
D.App Engine with automatic scaling
AnswerC

GKE manages container deployments with rolling updates ensuring zero downtime; rollback is straightforward.

Why this answer

Google Kubernetes Engine (GKE) with a rolling update strategy provides zero-downtime deployments and easy rollback via kubectl rollout undo.

573
Multi-Selectmedium

A company wants to protect sensitive data stored in Cloud Storage from being downloaded by users outside their organization. They also need to prevent data from being copied to external projects. Which TWO services should they use? (Choose two.)

Select 2 answers
A.IAM conditions with access levels
B.Cloud DLP
C.VPC Service Controls
D.Cloud KMS
E.Cloud Armor
AnswersA, C

Correct. IAM conditions can restrict access to authorized users (e.g., those from your domain).

Why this answer

VPC Service Controls create a perimeter around the Cloud Storage buckets to prevent data exfiltration to external projects and unauthorized networks. IAM conditions can restrict access based on identity, but alone cannot prevent data copying to external projects. Cloud DLP can redact sensitive data but does not prevent exfiltration.

Cloud Armor is for HTTP(S) traffic. Cloud KMS encrypts data but does not control access.

574
MCQmedium

A company uses Cloud SQL for PostgreSQL and needs to run complex analytical queries on the same dataset without affecting the performance of the transactional database. What should they do?

A.Schedule periodic exports to Cloud Storage and query with BigQuery
B.Create read replicas of the Cloud SQL instance and run queries on the replicas
C.Upgrade the Cloud SQL instance to a higher machine type
D.Use BigQuery to directly query Cloud SQL via federated queries
AnswerB

Read replicas offload reads without affecting primary instance performance.

Why this answer

Option D is correct because using Cloud SQL read replicas offloads read-only queries from the primary instance. Option A is wrong because BigQuery is for data warehousing, not real-time replication. Option B is wrong because exporting to Cloud Storage is not for live queries.

Option C is wrong because increasing machine type may not isolate analytical loads.

575
MCQeasy

A non-profit organization with limited IT staff wants to use cloud to improve its fundraising and donor management without hiring technology specialists. Which type of cloud service model is most appropriate for this organization's need?

A.Infrastructure as a Service (IaaS), where the organization provisions VMs and installs donor management software
B.Software as a Service (SaaS), where a fully managed donor management application is subscribed to and used without any infrastructure management
C.Platform as a Service (PaaS), where the organization deploys custom-built donor management code
D.Private cloud, where the organization builds its own cloud infrastructure for complete data control
AnswerB

SaaS is the right model. The non-profit subscribes to a ready-to-use donor management application (e.g., Salesforce Nonprofit, Bloomerang, Blackbaud) with no infrastructure to manage. Updates, security, backups, and scaling are all handled by the SaaS provider. The organization's limited IT staff can focus on using the tool, not running it.

Why this answer

Software as a Service (SaaS) is the most appropriate model because it provides a fully managed, ready-to-use donor management application over the internet. The organization's limited IT staff can simply subscribe and use the software without provisioning servers, installing applications, or managing infrastructure, directly addressing the need to avoid hiring technology specialists.

Exam trap

Google Cloud often tests the misconception that IaaS is always the 'foundation' for any cloud solution, but the trap here is that candidates overlook the organization's specific constraint of limited IT staff and choose IaaS, failing to recognize that SaaS eliminates all infrastructure and software management overhead.

How to eliminate wrong answers

Option A is wrong because IaaS requires the organization to provision and manage virtual machines, install the donor management software, and handle OS patching and scaling, which still demands significant IT expertise. Option C is wrong because PaaS requires the organization to write, deploy, and maintain custom code for the donor management application, which necessitates software development skills the organization lacks. Option D is wrong because a private cloud involves building and managing dedicated cloud infrastructure on-premises or hosted, which requires extensive IT staff for hardware, virtualization, and maintenance, contradicting the goal of avoiding technology specialists.

576
Multi-Selectmedium

A company is migrating a legacy monolithic application to Google Cloud. They want to break it into microservices without managing underlying servers or container orchestration. Which TWO Google Cloud services allow them to deploy containerized applications serverlessly?

Select 2 answers
A.Cloud Run
B.Cloud Functions
C.Compute Engine
D.App Engine flexible environment
E.Google Kubernetes Engine (GKE)
AnswersA, D

Cloud Run runs stateless containers in a serverless environment.

Why this answer

Cloud Run and App Engine flexible environment are serverless compute platforms that support containerized applications. Compute Engine and GKE require server/container management. Cloud Functions is serverless but for event-driven functions, not containers.

577
Multi-Selectmedium

A company runs a high-performance computing (HPC) workload on Compute Engine that requires low-latency, high-throughput scratch storage. The workload is checkpointed every hour. Which TWO storage options should the engineer consider for the scratch storage? (Choose 2)

Select 2 answers
A.Persistent Disk (HDD)
B.Persistent Disk (SSD)
C.Local SSD
D.Filestore
E.Cloud Storage
AnswersB, C

Persistent Disk provides durable block storage with good performance; it can be used for scratch if data must survive instance termination.

Why this answer

For HPC scratch storage, local SSDs provide very high IOPS and low latency but are ephemeral. Persistent Disk balanced or SSD provides durable block storage with good performance, but local SSDs are often preferred for scratch due to lower latency. Cloud Storage is object storage, not block.

Filestore is file storage but typically has higher latency than local SSD. The best options are local SSD for performance and Persistent Disk for durability if checkpointed data needs to persist.

578
MCQhard

A data analytics firm wants to query data across Cloud Storage and BigQuery without moving the data. They need a single SQL interface. Which Google Cloud service enables this?

A.Dataproc with Spark SQL
B.BigQuery external tables (federated queries)
C.Cloud SQL federated queries
D.BigQuery Omni
AnswerB

BigQuery can query data directly from Cloud Storage using external tables, without loading.

Why this answer

BigQuery allows querying external data sources like Cloud Storage via external tables (federated queries) without loading data.

579
MCQmedium

A developer needs to deploy a containerized microservice that scales to zero when not in use and automatically scales up on incoming traffic. The microservice uses a custom container image that listens on port 8080. Which Google Cloud compute service is BEST suited for this requirement?

A.Cloud Functions
B.Cloud Run
C.Google Kubernetes Engine (GKE) with Horizontal Pod Autoscaler
D.App Engine standard environment
AnswerB

Cloud Run fully managed runs containers, scales to zero, and scales up based on requests.

Why this answer

Cloud Run is a managed compute platform that runs stateless containers, automatically scales (including to zero), and charges only for resources used during request processing. It fits the requirement perfectly. GKE requires managing a cluster and doesn't scale to zero by default; App Engine standard environment has a sandbox that may not support custom containers; Cloud Functions is limited to specific runtimes.

580
MCQmedium

A healthcare startup is building a HIPAA-compliant application on Google Cloud. They need to encrypt data at rest and manage their own encryption keys. Which service should they use for key management?

A.Cloud IAM
B.Cloud Data Loss Prevention (DLP)
C.Cloud HSM
D.Cloud Key Management Service (Cloud KMS)
AnswerD

Cloud KMS offers software-based key management with customer-managed keys, suitable for HIPAA compliance.

Why this answer

Cloud KMS allows customers to manage their own encryption keys, and when used with CMEK, ensures data-at-rest encryption for HIPAA compliance.

581
MCQmedium

An organization wants to use Google Cloud to analyze large-scale genomic data. The data is stored in Cloud Storage in a compressed format. They need to run a custom Python pipeline that preprocesses the data and then uses a GPU-intensive algorithm for alignment. The preprocessing is CPU-bound and takes 30 minutes per sample, while the alignment takes 1 hour per sample on a GPU. They have thousands of samples. Which compute approach is MOST cost-effective?

A.Use committed use discounts for 1 year on GPU instances
B.Use regular VMs with both CPU and GPU on the same instance
C.Use preemptible VMs with CPU for preprocessing and preemptible VMs with GPU for alignment, with checkpointing
D.Use sole-tenant nodes for data isolation
AnswerC

Preemptible VMs offer large cost savings and the batch workload can handle interruptions.

Why this answer

Using preemptible VMs for both steps can significantly reduce costs, especially for large batches. However, GPU preemptible pricing is also lower. The workload is batch and fault-tolerant if checkpointing is implemented.

Committed use discounts require 1-year commitment; sole-tenant nodes are for isolation; independent scaling of CPU and GPU is not directly available without separate instance groups.

582
MCQmedium

A company is migrating a legacy monolithic application to Google Cloud. The application currently runs on a single physical server with a custom Linux distribution. The team wants to minimize changes to the application while gaining the benefits of cloud infrastructure. Which migration strategy should they use?

A.Rehost the application on Compute Engine using a custom image of the current OS
B.Rebuild the application from scratch on Cloud Run
C.Re-platform the application to a supported OS version
D.Refactor the application into microservices and deploy on GKE
AnswerA

Rehosting (lift and shift) moves the application with minimal changes.

Why this answer

Lift and shift (rehosting) moves the application as-is to the cloud, often by creating a custom image to run on Compute Engine. This minimizes changes. Refactoring (rearchitecting) involves code changes; re-platforming modifies the OS/platform; rebuilding is a full rewrite.

583
MCQeasy

A developer needs to run a custom analysis script on a large dataset once a month. The script runs for about 10 minutes. They want to avoid provisioning servers and only pay for the actual compute time used. Which Google Cloud compute option should they choose?

A.App Engine Standard Environment
B.Compute Engine preemptible VM
C.Google Kubernetes Engine with a single pod
D.Cloud Functions
AnswerD

Cloud Functions is serverless, execute on demand, and charge only for compute time.

Why this answer

Cloud Functions is the correct choice because it is a serverless, event-driven compute service that automatically scales to zero when not in use, charging only for the actual compute time consumed during execution. The 10-minute monthly script fits within Cloud Functions' 9-minute maximum timeout (recently extended to 60 minutes for HTTP-triggered functions in some regions), making it ideal for infrequent, short-lived tasks without provisioning servers.

Exam trap

Google Cloud often tests the misconception that serverless options like Cloud Functions cannot handle long-running tasks, but the 9-minute (or extended 60-minute) timeout is sufficient for many batch jobs, leading candidates to incorrectly choose preemptible VMs or Kubernetes for what is effectively a short-lived, infrequent workload.

How to eliminate wrong answers

Option A is wrong because App Engine Standard Environment requires an app to be deployed and running continuously, incurring costs even when idle, and it is designed for always-on web applications rather than infrequent batch jobs. Option B is wrong because Compute Engine preemptible VMs are short-lived instances that can be terminated at any time within 24 hours, requiring manual provisioning and management, and they charge per second of uptime even if the script runs only once a month. Option C is wrong because Google Kubernetes Engine with a single pod still requires a cluster of nodes to be provisioned and running, leading to continuous costs for the underlying VMs, and it introduces unnecessary orchestration overhead for a simple monthly script.

584
Multi-Selectmedium

A data analyst wants to create interactive dashboards and reports from data stored in BigQuery. They need a free tool that does not require a license. Which TWO tools are appropriate? (Choose TWO.)

Select 1 answer
A.Dataflow
B.Looker
C.BigQuery
D.Google Sheets
E.Looker Studio
AnswersE

Looker Studio (formerly Data Studio) is a free data visualization tool that connects to BigQuery.

Why this answer

Looker Studio is free and connects to BigQuery. Looker is a paid BI platform. Data Studio has been renamed to Looker Studio.

BigQuery and Google Sheets are not dashboard tools.

585
MCQmedium

A company runs batch processing jobs on scheduled intervals. They want to minimise costs by using short-lived compute capacity that can be interrupted but offers significant discounts. Which type of Compute Engine VM should they use?

A.E2 high-memory VMs
B.Sole-tenant nodes
C.Preemptible VMs
D.Confidential VMs
AnswerC

Preemptible VMs are short-lived, cost-effective instances that can be terminated at any time. Suitable for batch and fault-tolerant workloads.

Why this answer

Preemptible VMs (and Spot VMs) offer up to 60-91% discount but can be terminated at any time, making them ideal for batch jobs that can tolerate interruptions.

586
MCQeasy

Which defense-in-depth layer includes measures like access controls, vulnerability management, and intrusion detection systems?

A.Data security
B.Physical security
C.Operational security
D.Infrastructure security
AnswerC

Operational security includes access management, vulnerability management, and monitoring.

Why this answer

Operational security involves the policies and procedures to protect data and systems during operation, including access controls, vulnerability scanning, and intrusion detection. Physical security covers hardware and facilities; infrastructure security covers network and platform; data security covers encryption and data loss prevention.

587
MCQmedium

A company's finance team wants to understand why their cloud bills vary significantly month to month, unlike their fixed on-premises IT costs. Which fundamental cloud pricing characteristic explains this variability?

A.Cloud providers change their prices frequently, causing unpredictable costs
B.Consumption-based pricing means cloud costs scale directly with actual usage, unlike fixed on-premises costs
C.Cloud providers apply hidden fees that vary randomly each month
D.Cloud costs are fixed like on-premises costs; the variability must be caused by billing errors
AnswerB

This is the correct explanation. Cloud is utility-like pricing: a compute-heavy month costs more than a quiet month. Finance teams must shift from thinking about fixed IT budgets to variable cost management tied to business activity levels.

Why this answer

Option B is correct because cloud computing operates on a consumption-based (pay-as-you-go) pricing model, where costs are directly tied to the amount of resources consumed (e.g., compute hours, storage GB, data transfer). Unlike fixed on-premises IT costs, which are incurred regardless of actual usage (e.g., hardware depreciation, facility leases), cloud bills fluctuate as usage scales up or down. This fundamental characteristic explains the month-to-month variability observed by the finance team.

Exam trap

Google Cloud often tests the misconception that cloud pricing is unpredictable or error-prone, when in fact the variability is a deliberate feature of consumption-based pricing, not a flaw or hidden fee.

How to eliminate wrong answers

Option A is wrong because cloud providers do not change their prices frequently; instead, they typically announce price reductions or new tiers well in advance, and pricing is stable over short periods. Option C is wrong because cloud providers are transparent about their pricing models and do not apply hidden fees that vary randomly; all charges are itemized in the billing dashboard based on metered usage. Option D is wrong because cloud costs are not fixed like on-premises costs; the variability is a direct result of consumption-based pricing, not billing errors, and cloud billing systems are highly accurate.

588
MCQhard

A data team has an IAM policy on a BigQuery dataset as shown. Alice needs to run a query that joins across multiple datasets. She receives a permission error. What is the most likely cause?

A.The policy denies all users except Bob
B.Alice lacks the jobUser role to run queries
C.Alice does not have permission to read the dataset
D.Bob’s dataOwner role prevents others from querying
AnswerB

Query execution requires jobUser role in addition to data access.

Why this answer

Option B is correct because the BigQuery `jobUser` role is required to run query jobs, including those that join across datasets. The IAM policy shown only grants dataset-level permissions (like `dataViewer` or `dataOwner`), but Alice lacks the `jobUser` role at the project level, which is necessary to submit a query job. Without this role, she receives a permission error even if she has read access to the datasets.

Exam trap

The trap here is that candidates assume dataset-level read permissions (like `dataViewer`) are sufficient to run queries, but BigQuery requires the separate `jobUser` role at the project level to execute query jobs.

How to eliminate wrong answers

Option A is wrong because the policy does not deny all users except Bob; it only grants specific roles to Bob and others, and does not include an explicit deny statement. Option C is wrong because the error occurs when joining across datasets, which requires the `jobUser` role to run the query job, not just read permission on the dataset. Option D is wrong because Bob's `dataOwner` role does not prevent others from querying; it grants full control over the dataset but does not block other users' permissions.

589
MCQhard

A company runs a batch processing workload every night that takes 60 minutes on a single n1-standard-32 VM. They want to reduce costs by using preemptible VMs but need the job to complete within 90 minutes. The job can be parallelized if necessary. Which approach is most cost-effective?

A.Use a single non-preemptible VM to ensure completion.
B.Use the same VM but as preemptible; if preempted, restart the job from scratch.
C.Split the workload across 4 preemptible n1-standard-8 VMs with checkpointing.
D.Use a single preemptible VM with persistent disk snapshots every 10 minutes.
AnswerC

Smaller VMs are cheaper if preempted, and parallelization reduces total time; checkpointing allows resume.

Why this answer

Preemptible VMs can be terminated at any time, so running multiple smaller instances with checkpointing and retries reduces cost and meets the deadline.

590
MCQmedium

A company uses multiple public clouds (AWS, Azure, Google Cloud) for different workloads. They want to centralize monitoring and logging. Which Google Cloud service can aggregate logs from all clouds?

A.Cloud Audit Logs
B.Cloud Console
C.Cloud Monitoring
D.Cloud Logging
AnswerD

Cloud Logging can ingest logs from multiple clouds via API or agents.

Why this answer

Cloud Logging (formerly Stackdriver) can aggregate logs from various sources, including other clouds, using agents or API ingestion.

591
MCQmedium

A company needs to set a budget for their GCP project and receive notifications when spending reaches 50%, 90%, and 100% of the budget. Which action should they take?

A.Enable Committed Use Discounts to reduce costs.
B.Set up billing export to BigQuery with scheduled queries.
C.Configure a budget alert in Cloud Billing with threshold rules at 50%, 90%, and 100%.
D.Use Active Assist to set cost thresholds.
AnswerC

Budget alerts trigger notifications at specified percentages.

Why this answer

Create a budget with alert thresholds at the desired percentages to receive notifications.

592
Multi-Selectmedium

A company needs to encrypt data at rest using keys that they manage, but they want to reduce operational overhead by having Google Cloud host the key management infrastructure. Which TWO options achieve this? (Choose 2)

Select 2 answers
A.Secret Manager
B.Google-managed encryption keys
C.Customer-supplied encryption keys (CSEK)
D.Cloud HSM
E.Customer-managed encryption keys (CMEK)
AnswersD, E

Cloud HSM is a managed HSM that can be used with CMEK for key storage.

Why this answer

CMEK uses Cloud KMS to manage keys, which Google hosts. CSEK requires the customer to supply and manage keys outside Google. Google-managed keys are not customer-managed.

Cloud HSM is a hardware security module that can be used with CMEK. Secret Manager is for secrets, not encryption keys.

593
MCQeasy

A developer wants to deploy a containerized application that can scale down to zero when not in use and charges only for the resources consumed during request processing. Which Google Cloud compute service should they choose?

A.Google Kubernetes Engine (GKE)
B.Compute Engine
C.App Engine Flexible Environment
D.Cloud Run
AnswerD

Cloud Run scales to zero and charges only for request processing time.

Why this answer

Cloud Run is a serverless container platform that automatically scales to zero and charges per request, making it ideal for intermittent workloads. Compute Engine and GKE require always-on infrastructure. App Engine Flexible also requires at least one instance running.

594
MCQmedium

A media company has a web application that serves video content globally. The application is deployed on Compute Engine instances behind a TCP load balancer in a single region. Users in distant regions experience high latency. The company wants to improve performance for all users while keeping operational overhead low. They also need to handle sudden spikes in traffic during live events. What should they do?

A.Deploy additional instances in multiple regions and use a global HTTP(S) load balancer with Cloud CDN.
B.Use Cloud Run for the application and enable automatic scaling globally.
C.Move the application to Google Kubernetes Engine and use horizontal pod autoscaling.
D.Increase the machine type of existing instances and add more instances in the same region.
AnswerA

Reduces latency and handles traffic spikes globally.

Why this answer

Option A is correct because deploying instances in multiple regions and using a global HTTP(S) load balancer with Cloud CDN reduces latency by serving content from edge locations close to users. Cloud CDN caches video content at Google's global edge points of presence (PoPs), while the global HTTP(S) load balancer provides anycast IP-based traffic distribution across regions, handling traffic spikes through automatic scaling and distributed capacity.

Exam trap

The trap here is that candidates may think Cloud Run or GKE with autoscaling alone can solve global latency, but they overlook the need for multi-region deployment and edge caching, which are essential for reducing geographic latency and handling global traffic spikes with low operational overhead.

How to eliminate wrong answers

Option B is wrong because Cloud Run does not support automatic scaling globally across multiple regions; it is a regional service and would require manual multi-region setup or additional services like a multi-cluster ingress, increasing operational overhead. Option C is wrong because moving to Google Kubernetes Engine with horizontal pod autoscaling only addresses scaling within a single cluster and does not solve global latency or provide multi-region load balancing without additional complex configuration. Option D is wrong because increasing machine types and adding instances in the same region does not reduce latency for distant users; it only improves capacity within that single region, failing to address geographic distance.

595
MCQeasy

What is the primary purpose of VPC Service Controls?

A.To control ingress and egress traffic at the network level
B.To detect network intrusions
C.To prevent data exfiltration from Google Cloud services
D.To protect against DDoS attacks
AnswerC

VPC Service Controls create perimeters around services to reduce the risk of data theft.

Why this answer

VPC Service Controls create perimeters around Google Cloud services to prevent data exfiltration. VPC firewall rules control network traffic. Cloud Armor is for DDoS.

Cloud IDS is for intrusion detection.

596
MCQmedium

A company's PostgreSQL database has grown to 50 TB and their application requires near-zero downtime, automatic failover, and the ability to scale reads horizontally without the migration complexity of switching to Spanner. Which Google Cloud database product is specifically designed as a fully managed, highly scalable PostgreSQL-compatible database?

A.Cloud SQL (PostgreSQL)
B.AlloyDB for PostgreSQL
C.Cloud Spanner
D.Bare metal PostgreSQL on Compute Engine
AnswerB

AlloyDB provides full PostgreSQL compatibility with enterprise-grade performance (4× faster OLTP, 100× faster analytics), 99.99% HA, and horizontal read scaling — without changing application code.

Why this answer

AlloyDB for PostgreSQL is a fully managed, PostgreSQL-compatible database service designed for high scalability, near-zero downtime, and automatic failover. It separates compute and storage to enable horizontal read scaling with read pools, and it uses a columnar engine for analytical acceleration, making it ideal for large workloads like 50 TB without the migration complexity of Spanner.

Exam trap

The trap here is that candidates confuse Cloud SQL's PostgreSQL offering with AlloyDB's PostgreSQL compatibility, overlooking Cloud SQL's storage and scaling limitations for large, high-availability workloads.

How to eliminate wrong answers

Option A is wrong because Cloud SQL for PostgreSQL is limited to 30 TB of storage and does not support automatic horizontal read scaling or near-zero downtime failover at the scale of 50 TB. Option C is wrong because Cloud Spanner is a globally distributed, strongly consistent database that is not PostgreSQL-compatible and requires significant application migration to change from PostgreSQL semantics. Option D is wrong because bare metal PostgreSQL on Compute Engine is not a fully managed service; it requires manual configuration for failover, scaling, and maintenance, and does not provide the automatic, near-zero downtime capabilities specified.

597
Drag & Dropmedium

Drag and drop the steps to recover a Compute Engine VM from a snapshot in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The recovery process involves using the snapshot to create a disk, detaching the old boot disk, attaching the new one, and starting the VM.

598
MCQhard

An organization uses labels to track cost by environment (dev, test, prod). However, the Finance team notices that some resources are missing the 'env' label. Which service can automatically suggest labeling resources that are missing required labels?

A.Cost Management dashboard
B.Active Assist Recommendations
C.Cloud Asset Inventory
D.Organization Policy Service
AnswerB

Active Assist includes a recommender for labeling resources that are missing required labels.

Why this answer

Active Assist provides recommendations for various optimizations, including labeling. The Recommender can suggest labels for resources that are missing them, based on usage patterns.

599
MCQhard

A security administrator needs to ensure that Google personnel do not access customer data without explicit authorization. Which service should they use to get logs of Google employee access?

A.Access Transparency
B.Cloud Audit Logs
C.Security Command Center
D.Assured Workloads
AnswerA

Access Transparency logs Google personnel access to customer data.

Why this answer

Access Transparency provides logs of Google personnel actions on customer data. Cloud Audit Logs track user activities within the customer's project. Assured Workloads is for regulatory compliance.

Security Command Center is for threat detection.

600
MCQhard

A machine learning team wants to train, evaluate, deploy, and monitor ML models in a unified platform without managing infrastructure, and with built-in support for experiment tracking, model versioning, and A/B testing between model versions. Which Google Cloud product provides this end-to-end managed ML platform?

A.BigQuery ML, for training and deploying ML models using SQL within BigQuery
B.Vertex AI, Google Cloud's unified ML platform covering training, experiment tracking, model registry, deployment, and monitoring in a single managed service
C.Cloud Dataproc, for running distributed Spark ML jobs on managed Hadoop clusters
D.Cloud Functions, for deploying ML inference code as serverless functions
AnswerB

Vertex AI is the complete answer. It provides: managed training (custom containers or AutoML), Vertex AI Experiments (experiment tracking and comparison), Vertex AI Model Registry (version management), Vertex AI Endpoints (serving with traffic splitting for A/B testing), and Model Monitoring (data drift and skew detection). This is Google Cloud's end-to-end ML platform.

Why this answer

Vertex AI is Google Cloud's unified ML platform that provides an end-to-end managed service for training, evaluating, deploying, and monitoring ML models without requiring infrastructure management. It includes built-in experiment tracking, a model registry for versioning, and supports A/B testing between model versions, directly matching the question's requirements.

Exam trap

The trap here is that candidates may confuse BigQuery ML's SQL-based model training with a full ML platform, overlooking its lack of experiment tracking, model versioning, and A/B testing capabilities that Vertex AI provides.

How to eliminate wrong answers

Option A is wrong because BigQuery ML is limited to training and deploying models using SQL within BigQuery, lacking built-in experiment tracking, model versioning, and A/B testing capabilities for custom ML workflows. Option C is wrong because Cloud Dataproc is a managed Spark and Hadoop service for distributed data processing, not a unified ML platform with experiment tracking, model registry, or A/B testing features. Option D is wrong because Cloud Functions is a serverless compute service for event-driven code execution, not designed for ML model training, experiment tracking, or A/B testing between model versions.

Page 7

Page 8 of 14

Page 9