Google Cloud Digital Leader (GCDL) — Questions 601675

991 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQhard

An organization uses Security Command Center (SCC) premium tier and wants to automatically remediate a specific finding type by disabling public access to Cloud Storage buckets. What is the recommended approach?

A.Use Cloud Pub/Sub alone to listen for SCC findings and then manually remediate
B.Use IAM to deny all users except project owners from making buckets public
C.Set up a Cloud Function triggered by SCC findings to remove public access
D.Configure a Cloud Scheduler job to run a script that checks and removes public access
AnswerC

SCC can publish findings to Pub/Sub, which triggers a Cloud Function to remediate.

Why this answer

Option C is correct because Security Command Center (SCC) premium tier can publish findings to Cloud Pub/Sub, which can trigger a Cloud Function via a push subscription. The Cloud Function can then use the Google Cloud Storage API (specifically, the `storage.buckets.setIamPolicy` method) to remove the `allUsers` or `allAuthenticatedUsers` bindings that grant public access, enabling automated, event-driven remediation without manual intervention.

Exam trap

Google Cloud often tests the distinction between event-driven automation (Cloud Functions + Pub/Sub) and scheduled or manual approaches, so candidates mistakenly choose Cloud Scheduler or IAM deny policies because they think 'automation' means periodic checks or preventive controls, rather than reactive, real-time remediation.

How to eliminate wrong answers

Option A is wrong because using Cloud Pub/Sub alone only delivers the finding notification; it does not perform any remediation action, so manual steps are still required, which defeats the goal of automation. Option B is wrong because IAM deny policies cannot retroactively remove public access from buckets that already have public bindings; they only prevent future grants, and they do not automatically remediate existing public buckets. Option D is wrong because Cloud Scheduler runs on a fixed schedule, not in response to SCC findings, so it introduces latency and cannot provide real-time remediation when a finding is generated.

602
Multi-Selecthard

A company wants to implement the principle of least privilege for a team of developers who need to deploy applications on Compute Engine and monitor logs. Which THREE IAM roles should be granted? (Choose 3)

Select 3 answers
A.roles/iam.serviceAccountUser
B.roles/compute.networkAdmin
C.roles/logging.viewer
D.roles/compute.instanceAdmin
E.roles/compute.admin
AnswersA, C, D

Allows developers to use service accounts with instances.

Why this answer

roles/compute.instanceAdmin provides permissions to manage instances. roles/logging.viewer provides read access to logs. roles/iam.serviceAccountUser allows attaching service accounts to instances. roles/compute.networkAdmin is too broad for developers. roles/compute.admin is a full admin role, violating least privilege.

603
MCQmedium

A company is planning a cloud migration and wants to understand the difference between 'lift and shift' and 'cloud-native' approaches. Which statement correctly distinguishes these two migration strategies?

A.Lift and shift uses containers; cloud-native uses virtual machines.
B.Lift and shift moves applications to the cloud with minimal changes; cloud-native re-architects applications to leverage cloud-specific features and managed services.
C.Lift and shift is only possible for new applications; cloud-native is for existing applications.
D.Lift and shift costs more long-term; cloud-native costs more short-term due to licensing.
AnswerB

Lift and shift is fast with minimal changes but doesn't fully leverage cloud. Cloud-native requires more effort but maximizes benefits like autoscaling, managed databases, and serverless.

Why this answer

Option B is correct because 'lift and shift' (rehosting) involves moving applications to the cloud with minimal or no changes, often using Infrastructure as a Service (IaaS) to replicate the on-premises environment. In contrast, 'cloud-native' (re-architecting) redesigns applications to use cloud-specific features like auto-scaling, managed databases, and serverless compute, fully leveraging the cloud's elasticity and pay-as-you-go model.

Exam trap

The trap here is that candidates often confuse the tools (containers vs. VMs) with the strategy, assuming lift and shift always uses containers and cloud-native uses VMs, when in fact the opposite is true for typical implementations.

How to eliminate wrong answers

Option A is wrong because lift and shift typically uses virtual machines (VMs) to replicate on-premises infrastructure, not containers; cloud-native applications often use containers (e.g., Docker) and orchestration (e.g., Kubernetes) for microservices, not VMs. Option C is wrong because lift and shift is primarily used for existing legacy applications to migrate quickly, while cloud-native is often applied to new applications but can also involve re-architecting existing ones. Option D is wrong because lift and shift can lead to higher long-term costs due to inefficient resource utilization and licensing, while cloud-native may have higher initial development costs but lower operational costs over time due to optimized resource usage and managed services.

604
MCQmedium

A company has deployed a web application on Compute Engine in us-central1-a. Users in Europe report high latency. The company wants to reduce latency by serving traffic from a location closer to European users. However, they currently use a zonal managed instance group. What is the MOST cost-effective and operationally simple approach to reduce latency for European users?

A.Create a new zonal instance group in europe-west1-a and use a round-robin DNS
B.Keep the instance group in us-central1 but enable Cloud CDN
C.Change the managed instance group to regional, and use an HTTP(S) load balancer with the backend in europe-west1
D.Move the application to Cloud Run and deploy in europe-west1
AnswerC

Regional groups spread across zones in a European region; global load balancer routes users to the closest backend.

Why this answer

A regional managed instance group across multiple zones in a European region (e.g., europe-west1) with a global load balancer will route users to the nearest backend, reducing latency. Recreating in a different zone in the same region doesn't help. Moving to Cloud Run might help but requires containerising the app.

Using a single zone in Europe is not as resilient.

605
MCQmedium

A company uses Google Workspace for identity. They want employees to use their Google Workspace credentials to access third-party applications (Salesforce, Slack, etc.) without separate passwords for each app. Which technology enables this?

A.VPN — employees connect to the corporate VPN which provides access to all apps.
B.Single Sign-On (SSO) using SAML 2.0 or OIDC with Google Workspace as the Identity Provider.
C.Cloud Armor — blocks unauthorized access attempts to applications.
D.Shared service account — all employees use the same credential.
AnswerB

Google Workspace as IdP federates identity to third-party apps via SAML 2.0 or OIDC. Employees authenticate once with their Google credentials and access all federated apps without separate passwords.

Why this answer

Option B is correct because Single Sign-On (SSO) using SAML 2.0 or OIDC allows Google Workspace to act as the Identity Provider (IdP), issuing authentication tokens that third-party applications (like Salesforce and Slack) trust. This eliminates the need for separate passwords, as users authenticate once with Google Workspace and the IdP handles subsequent access via security assertions or ID tokens.

Exam trap

Google Cloud often tests the distinction between network-level access (VPN) and identity-level federation (SSO), so candidates mistakenly choose VPN because they think it 'provides access to all apps' without realizing it does not solve the separate-password problem.

How to eliminate wrong answers

Option A is wrong because a VPN provides network-layer access to corporate resources but does not eliminate separate application passwords; users still need to authenticate to each app individually. Option C is wrong because Cloud Armor is a web application firewall and DDoS protection service that blocks malicious traffic at the edge, not an identity federation or SSO technology. Option D is wrong because a shared service account violates the principle of least privilege and non-repudiation; all employees using the same credential would create severe security and audit issues, and it does not enable passwordless access to third-party apps.

606
MCQeasy

A manufacturing company wants to use sensor data from equipment to predict failures before they happen, reducing downtime. How does cloud technology enable this transformation?

A.By using edge computing to store all data locally
B.By setting up monitoring alerts for equipment failure
C.By migrating all data to a data warehouse for batch analysis
D.By offering IoT Core and AI Platform to collect data and build predictive models
AnswerD

Cloud services like IoT Core and AI Platform enable scalable data collection and machine learning for predictions.

Why this answer

Cloud provides scalable data ingestion, storage, and advanced analytics (AI/ML) to process IoT data for predictive maintenance. Option B is wrong because edge computing is for low latency, but not the core enabler. Option C is wrong because monitoring is reactive, not predictive.

Option D is wrong because batch processing is not real-time predictive.

607
MCQmedium

A company wants to migrate its existing on-premises virtual machines (VMware VMs) to Google Cloud with minimal changes to the operating system and applications. Which Google Cloud product is specifically designed for migrating on-premises VMs to Google Cloud with minimal modification?

A.Migrate to Virtual Machines (formerly Velostrata), which migrates on-premises VMware VMs to Compute Engine with minimal modification and downtime
B.Cloud Dataflow, by streaming data from on-premises VMs to Google Cloud storage
C.Anthos, by registering on-premises Kubernetes clusters with Google Cloud's management plane
D.Cloud Storage Transfer Service, by copying VM disk images from on-premises storage to Cloud Storage
AnswerA

Migrate to Virtual Machines is the purpose-built service for this. It performs VM migrations from VMware (and other sources) to Compute Engine, handling the OS and application translation automatically. The 'minimal changes' requirement is the defining characteristic — it's a lift-and-shift migration tool.

Why this answer

Migrate to Virtual Machines (formerly Velostrata) is the correct choice because it is specifically designed to migrate on-premises VMware VMs to Compute Engine with minimal modification to the OS and applications. It uses a streaming migration approach that moves the VM's disk state incrementally while keeping the VM running, resulting in minimal downtime and no need to re-architect the workloads.

Exam trap

Google Cloud often tests the distinction between general-purpose data transfer or processing services (like Dataflow or Storage Transfer Service) and specialized migration tools, tempting candidates to pick a familiar service that sounds plausible but lacks the specific VM migration capability.

How to eliminate wrong answers

Option B is wrong because Cloud Dataflow is a stream and batch data processing service, not a VM migration tool; it cannot migrate entire VMs with their OS and applications intact. Option C is wrong because Anthos focuses on managing Kubernetes clusters across environments, not on migrating individual VMware VMs with minimal modification. Option D is wrong because Cloud Storage Transfer Service is designed for bulk data transfers to Cloud Storage, not for live VM migration; it would require manual disk image creation and does not handle OS/application state or minimize downtime.

608
MCQmedium

A startup needs to quickly deploy a web application with minimal infrastructure management. They want to focus on code, not servers. Which Google Cloud service model is most appropriate?

A.Software as a Service (SaaS) using Gmail
B.Function as a Service (FaaS) using Cloud Functions
C.Infrastructure as a Service (IaaS) using Compute Engine
D.Platform as a Service (PaaS) using App Engine
AnswerD

App Engine automatically scales and manages the runtime environment, allowing developers to focus solely on code.

Why this answer

App Engine is a fully managed Platform as a Service (PaaS) that abstracts away the underlying infrastructure, allowing developers to deploy web applications without managing servers or operating systems. It automatically handles scaling, load balancing, and patching, which aligns with the startup's requirement to focus on code rather than infrastructure management.

Exam trap

Google Cloud often tests the distinction between PaaS and FaaS by presenting a scenario that requires a full web application, where candidates mistakenly choose FaaS (Cloud Functions) because they confuse 'serverless' with 'no infrastructure management,' ignoring that FaaS is unsuitable for long-running HTTP applications with stateful sessions.

How to eliminate wrong answers

Option A is wrong because Gmail is a Software as a Service (SaaS) application, not a service model for deploying custom web applications; it provides no platform for code deployment or customization. Option B is wrong because Cloud Functions is a Function as a Service (FaaS) designed for event-driven, stateless functions, not for hosting a complete web application with persistent HTTP routing and session management. Option C is wrong because Compute Engine is Infrastructure as a Service (IaaS) that requires manual provisioning, configuration, and management of virtual machines, which contradicts the goal of minimizing infrastructure management.

609
MCQmedium

An engineer needs to analyze detailed cost data, including resource-level usage costs and labels, to create custom reports. Which approach should they use?

A.Use the Cost Management dashboard to export a CSV
B.Set up billing export to BigQuery
C.Manually review invoices
D.Use the Cloud Pricing Calculator
AnswerB

This provides the most detailed and flexible data for custom analysis.

Why this answer

Billing export to BigQuery allows you to export detailed, granular billing data (including labels and resource-level costs) to a BigQuery dataset for custom analysis and reporting.

610
MCQeasy

Refer to the exhibit. A security administrator reviews this Cloud Audit Logs entry. What does this entry indicate?

A.The user attempted to read the object 'secret.pdf' and the request resulted in an error.
B.The user updated the IAM policy on the bucket.
C.The user attempted to delete the object 'secret.pdf'.
D.The user successfully read the object 'secret.pdf'.
AnswerA

The method is 'get' and severity ERROR shows a failed read attempt.

Why this answer

Option A is correct because the log entry shows a 'storage.objects.get' method with the resource name of a specific object, indicating that user@example.com read the object. Option B is wrong because the method is 'get', not 'delete'. Option C is wrong because the severity is ERROR, but that could be due to the object being private or other reasons; the log shows a successful read? Actually, the severity is ERROR but the method is get, meaning the request resulted in an error? The exhibit doesn't show the status.

However, the question is ambiguous. To make it clear, we should specify that the log shows an attempt to read an object that resulted in an error (e.g., 404). But since the log shows the method, we can interpret it as an access attempt.

Let's adjust the options to reflect that it shows an attempt. Better: We'll assume the log shows a read attempt that was denied. For clarity, we'll add that the severity is ERROR, meaning the request failed.

Then correct answer: The user attempted to read a secret document. Options: A) The user successfully read the object; B) The user attempted to delete the object; C) The user attempted to read the object; D) The user changed permissions. Correct: C (attempted read).

Explanation: The method is 'get', and severity ERROR indicates failure, so it's an attempt. Option A is wrong because success would be lower severity. Option B is wrong because method is get.

Option D is wrong because method is not setIamPolicy.

611
MCQhard

A global gaming company uses Cloud Spanner for their leaderboard. They notice that write latency spikes during peak hours. The database is currently deployed in a single region. Which scaling strategy should they implement to reduce write latency globally?

A.Use Cloud Spanner multi-region configuration.
B.Implement application-level caching with Memorystore.
C.Change to Cloud Bigtable for higher throughput.
D.Add more nodes to the existing Spanner instance.
AnswerA

A multi-region configuration places replicas in multiple regions, enabling lower write latency by allowing writes to be committed closer to users.

Why this answer

Cloud Spanner's multi-region configuration is designed to reduce write latency for globally distributed users by placing write-capable replicas in multiple geographic regions. This allows writes to be committed at the nearest replica, leveraging Spanner's TrueTime and Paxos-based replication to maintain strong consistency across regions. A single-region deployment forces all writes to a single location, causing high latency for distant clients during peak hours.

Exam trap

Google Cloud often tests the misconception that scaling a database horizontally by adding nodes always reduces latency, but in a single-region Spanner setup, adding nodes only increases throughput and storage, not geographic proximity, which is the root cause of high write latency for global users.

How to eliminate wrong answers

Option B is wrong because application-level caching with Memorystore does not reduce write latency to the database; it only improves read performance for cached data, and writes still must go to the single-region Spanner instance. Option C is wrong because Cloud Bigtable is optimized for high-throughput, low-latency reads and writes for analytical workloads, but it does not support strong transactional consistency or SQL queries, making it unsuitable for a leaderboard that requires real-time, consistent updates. Option D is wrong because adding more nodes to the existing single-region Spanner instance increases throughput and storage capacity but does not reduce write latency for clients far from that region; the write path still requires consensus across replicas in the same geographic location.

612
MCQeasy

Google Cloud's operations suite includes Cloud Monitoring for metrics. What is the difference between 'monitoring' and 'observability' in cloud operations?

A.Monitoring and observability are identical terms — both describe collecting and analyzing system metrics.
B.Monitoring tracks predefined metrics and alerts on known conditions; observability is the system property enabling engineers to understand any internal state from its outputs (metrics, logs, traces).
C.Monitoring is for production; observability is for development and testing environments.
D.Observability only applies to AI systems; monitoring is for traditional applications.
AnswerB

Monitoring answers 'Is X above threshold?' Observability answers 'Why is the system behaving unexpectedly?' — requiring metrics, logs, and traces working together to illuminate unknown failure modes.

Why this answer

Option B is correct because monitoring and observability are distinct concepts in cloud operations. Monitoring involves tracking predefined metrics and setting alerts for known failure conditions, while observability is a system property that allows engineers to understand any internal state by analyzing outputs like metrics, logs, and traces. In Google Cloud, Cloud Monitoring provides monitoring capabilities, but achieving true observability requires integrating Cloud Logging and Cloud Trace to explore unknown issues.

Exam trap

Google Cloud often tests the misconception that monitoring and observability are interchangeable terms, but the trap here is that monitoring is reactive to known conditions, while observability is a proactive property for diagnosing unknown issues.

How to eliminate wrong answers

Option A is wrong because monitoring and observability are not identical; monitoring is a subset of observability, focusing on known metrics, whereas observability enables exploration of unknown states. Option C is wrong because observability is not limited to development and testing; it is critical in production to debug complex, unpredictable issues. Option D is wrong because observability applies to all systems, not just AI, and monitoring is used across all application types, not just traditional ones.

613
MCQhard

An organization's leadership wants to foster a 'fail fast' culture to accelerate innovation. A cloud environment directly supports this culture by enabling which specific capability that on-premises infrastructure could not economically provide?

A.Cloud provides better project management tools for tracking experiments.
B.Cloud's on-demand provisioning allows teams to spin up and tear down experiment environments in minutes, making the cost of a failed experiment near-zero.
C.Cloud providers guarantee that experiments will succeed because Google engineers review them.
D.Cloud includes built-in A/B testing frameworks for all applications.
AnswerB

Experiments that fail on cloud cost only the hours they ran. On-premises, failed experiments wasted weeks of procurement effort and hardware budget. Cloud makes failure cheap, enabling faster learning.

Why this answer

Option B is correct because cloud's on-demand provisioning enables rapid creation and teardown of isolated environments via APIs (e.g., AWS CloudFormation, Azure Resource Manager), reducing the cost and time of failed experiments to near-zero. This directly supports a 'fail fast' culture by removing the capital expense and provisioning delays inherent in on-premises infrastructure, where hardware procurement and setup can take weeks.

Exam trap

The trap here is that candidates confuse 'fail fast' with project management or testing frameworks, missing the core cloud differentiator: on-demand, low-cost resource elasticity that makes experimentation economically viable.

How to eliminate wrong answers

Option A is wrong because project management tools (e.g., Jira, Trello) are software applications that can run on any infrastructure, not a unique cloud capability; they do not inherently accelerate experimentation cycles. Option C is wrong because cloud providers do not guarantee experiment success; they offer SLAs for uptime and performance, but code logic and experimental outcomes remain the customer's responsibility. Option D is wrong because cloud platforms do not include built-in A/B testing frameworks for all applications; such frameworks (e.g., Google Optimize, AWS Evidently) are optional services that must be explicitly configured and are not inherent to the cloud environment.

614
Multi-Selectmedium

A company is building a real-time chat application that requires low-latency messaging across multiple regions. The application needs to store user profiles and chat history. Which TWO Google Cloud services should the company consider for storing this data?

Select 2 answers
A.Cloud Memorystore
B.Cloud SQL
C.Cloud Datastore
D.Cloud Bigtable
E.Cloud Firestore
AnswersA, E

Memorystore (Redis) can be used for real-time pub/sub and caching to reduce latency.

Why this answer

Cloud Firestore offers real-time synchronization and is suitable for chat messages and user profiles. Cloud Memorystore is a managed Redis/Memcached service that can be used for caching and real-time data. Cloud SQL is not designed for real-time multi-region sync.

Bigtable is not ideal for chat history with complex queries. Datastore is the older version of Firestore.

615
MCQmedium

A developer wants to create a new project in Google Cloud. They have the Project Creator role at the organization level. Which of the following is NOT required to create a project?

A.The Google Cloud CLI installed locally
B.The resourcemanager.projects.create permission
C.A billing account linked to the project
D.Enabling the Cloud Resource Manager API
AnswerA

Projects can be created via Cloud Console, API, or gcloud, but the CLI is not mandatory.

Why this answer

To create a project, you need the resourcemanager.projects.create permission and a billing account must be linked. However, enabling APIs is not required at project creation; it can be done later.

616
Multi-Selectmedium

A company is building a data lake on Google Cloud. They need to store both structured and unstructured data, and process it using batch and streaming jobs. Which TWO Google Cloud services should they use? (Choose 2)

Select 2 answers
A.Cloud Storage
B.Cloud SQL
C.Firestore
D.Cloud Pub/Sub
E.BigQuery
AnswersA, E

Cloud Storage is ideal for storing any type of data (structured/unstructured) as objects.

Why this answer

Cloud Storage is the primary storage for the data lake (unstructured data, raw files), and BigQuery serves as the query layer for structured analytics. Dataflow could be a processing engine, but the question asks for storage and processing? Actually, the stem says 'store both structured and unstructured data' and 'process it using batch and streaming jobs'. The best combination is Cloud Storage (for storage) and Dataflow (for processing).

But BigQuery also stores structured data. However, the question likely expects Cloud Storage for raw data and BigQuery for structured querying. But processing is also mentioned.

The correct pair is Cloud Storage and Dataflow/BigQuery? Let's see options.

617
MCQmedium

A company is evaluating whether to use a content delivery network (CDN) for its e-commerce website. Which scenario would most benefit from CDN implementation?

A.A small business whose customers are all located within 10 kilometers of the company's single data center
B.An e-commerce site with global customers that serves high-resolution product images and videos, where page load speed directly affects conversion rates
C.A real-time financial trading application that requires unique, uncacheable price data delivered to a single city's traders
D.An internal HR system used exclusively by employees in the company's headquarters
AnswerB

This is the ideal CDN scenario: geographically distributed users, highly cacheable content (product images and videos), and a business metric (conversion rate) that is demonstrably sensitive to latency. CDN edges serve cached content locally, dramatically reducing page load times for international visitors.

Why this answer

Option B is correct because a CDN caches static content like high-resolution images and videos at edge servers geographically closer to users, reducing latency and improving page load speed. For an e-commerce site with global customers, faster load times directly boost conversion rates, making CDN implementation highly beneficial.

Exam trap

The GCDL exam often tests the misconception that CDNs are a universal performance solution, but the trap here is that CDNs only benefit cacheable, static, or geographically distributed content, not real-time or localized traffic.

How to eliminate wrong answers

Option A is wrong because customers are all within 10 km of a single data center, so latency is already minimal and a CDN would provide negligible benefit. Option C is wrong because real-time financial trading data is unique and uncacheable, so a CDN cannot serve stale or cached content, and the single-city user base doesn't require global distribution. Option D is wrong because an internal HR system used only by employees at headquarters has no geographic distribution or performance issues that a CDN would solve.

618
MCQmedium

Google's physical data center security includes multiple layers of protection. Which of the following is NOT a physical security measure Google uses at its data centers?

A.Biometric authentication and badge access controls at multiple security perimeters.
B.24/7 on-site security personnel who monitor the facility continuously.
C.Customers can schedule tours of Google data centers to verify security practices directly.
D.Secure hardware destruction procedures for decommissioned storage devices.
AnswerC

Google data centers are not open to customer tours — they are high-security facilities with strict access controls. Google provides third-party audit reports (ISO 27001, SOC 2) as security verification instead of physical tours.

Why this answer

Option C is correct because Google does not offer public tours of its data centers. Allowing customers to schedule tours would introduce unnecessary security risks and is not part of Google's physical security model. Instead, Google provides transparency through third-party audit reports and certifications (e.g., SOC 2, ISO 27001) to verify security practices.

Exam trap

The GCDL exam often tests the misconception that Google offers data center tours as a transparency measure, but in reality, Google relies on independent third-party audits and certifications rather than allowing physical access to customers.

How to eliminate wrong answers

Option A is wrong because biometric authentication and badge access controls are indeed used by Google at multiple security perimeters, including the outer fence, building entrance, and server floor doors. Option B is wrong because 24/7 on-site security personnel are a standard physical security measure at Google data centers, monitoring CCTV and responding to incidents. Option D is wrong because secure hardware destruction procedures, such as degaussing, shredding, or pulverizing decommissioned storage devices, are a critical part of Google's data sanitization process to prevent data recovery.

619
MCQhard

A company wants to reserve Compute Engine instances for a 3-year term to get the maximum discount. They expect consistent usage and want the discount to apply automatically to any instance matching the configuration. Which purchasing option should they choose?

A.Sustained use discounts
B.Preemptible VM instances
C.Reserved instances (like AWS)
D.Committed use discounts with a 3-year term
AnswerD

3-year CUDs provide the highest discount for predictable workloads.

Why this answer

Committed use discounts (CUDs) offer significant discounts in exchange for a commitment to use a minimum level of resources for 1 or 3 years. They apply automatically to eligible instances in the specified region and machine series.

620
MCQmedium

A company wants to reduce its on-premises data center footprint by moving workloads to Google Cloud. They need to maintain low-latency connectivity between their remaining on-premises equipment and their Google Cloud VPC. Which Google Cloud service should they use?

A.Cloud VPN
B.Dedicated Interconnect
C.Partner Interconnect
D.Direct Peering
AnswerB

Dedicated Interconnect provides direct private connections with low latency and high reliability.

Why this answer

Dedicated Interconnect provides direct, private, high-bandwidth connections between on-premises and Google Cloud, meeting low-latency requirements. Partner Interconnect uses service providers with lower bandwidth. Cloud VPN is internet-based and slower.

Direct Peering lacks SLAs.

621
MCQeasy

A company wants to reduce its Google Cloud costs without reducing its workload capacity. The team identifies that several production VMs consistently use less than 30% of their allocated CPU and memory. What is the most straightforward cost optimization action?

A.Delete the under-utilized VMs since low utilization indicates they are no longer needed
B.Right-size the VMs by migrating to smaller machine types that match actual CPU and memory consumption, reducing costs proportionally
C.Purchase Committed Use Discounts for the over-provisioned VMs to reduce their per-hour cost
D.Enable sustained use discounts by ensuring VMs run continuously throughout the month
AnswerB

Right-sizing is the direct action. If VMs use 30% of their resources, a smaller machine type that provides the resources actually needed (with some headroom for spikes) costs significantly less. Active Assist proactively surfaces right-sizing recommendations with projected savings.

Why this answer

Right-sizing VMs by migrating to smaller machine types that match actual CPU and memory consumption directly reduces the cost per hour while maintaining the same workload capacity. Since the VMs are consistently under-utilized, this approach eliminates wasted resources without affecting performance or availability.

Exam trap

Google Cloud often tests the misconception that deleting under-utilized VMs is the simplest cost-saving action, but the question explicitly states workload capacity must be maintained, making right-sizing the correct approach.

How to eliminate wrong answers

Option A is wrong because deleting under-utilized VMs would reduce workload capacity, contradicting the requirement to maintain capacity; low utilization does not mean the VMs are unnecessary. Option C is wrong because Committed Use Discounts (CUDs) reduce the per-hour cost of existing machine types but do not address the root cause of over-provisioning; you would still pay for unused capacity. Option D is wrong because sustained use discounts are automatically applied for VMs running >25% of a month and do not require enabling; they also do not reduce costs from over-provisioned resources.

622
MCQmedium

You are monitoring Compute Engine instances with Cloud Monitoring. You notice that autoscaling is not triggering even though CPU utilization is above 80% for several minutes. The managed instance group has autoscaling based on CPU utilization with a target of 0.8. What is the most likely cause?

A.The maximum number of instances is already reached.
B.The autoscaler is disabled.
C.The minimum number of instances is set too high.
D.The cool-down period is too long.
AnswerA

If the instance group has reached its max size, the autoscaler cannot add more instances, so it will not trigger.

Why this answer

The most likely cause is that the managed instance group has already reached its configured maximum number of instances. When the maximum instance count is hit, the autoscaler cannot add more instances even if CPU utilization exceeds the target of 0.8 (80%). This is a common boundary condition in autoscaling logic where the scaling policy is overridden by the hard limit.

Exam trap

The trap here is that candidates often focus on the CPU target and cool-down settings, overlooking the hard boundary of the maximum instance count, which is a fundamental constraint in autoscaling logic.

How to eliminate wrong answers

Option B is wrong because if the autoscaler were disabled, no scaling events would occur at all, but the question states that autoscaling is not triggering despite high CPU, implying the autoscaler is enabled but blocked. Option C is wrong because a high minimum number of instances would cause the autoscaler to keep instances running, not prevent it from scaling up; it would actually ensure a baseline, not block scaling. Option D is wrong because a long cool-down period delays scaling actions but does not permanently prevent them; after the cool-down expires, the autoscaler would still trigger if CPU remains high.

623
MCQeasy

A small startup wants to protect its web application from common attacks like SQL injection and cross-site scripting (XSS). They also need DDoS protection. Which Google Cloud security service should they use?

A.Security Command Center
B.Cloud IDS
C.reCAPTCHA Enterprise
D.Cloud Armor
AnswerD

Cloud Armor includes WAF and DDoS protection.

Why this answer

Cloud Armor provides web application firewall (WAF) rules to block SQL injection and XSS, plus DDoS protection.

624
MCQmedium

A company wants to reduce costs for their long-running Compute Engine instances by committing to a 1-year term. Which type of discount should they use?

A.Sole-tenant node discount
B.Preemptible VM discount
C.Sustained use discount
D.Committed use discount
AnswerD

Requires 1 or 3 year commitment for higher discount.

Why this answer

Committed use discounts offer reduced prices in exchange for a 1 or 3 year commitment.

625
MCQmedium

A financial services firm must comply with PCI DSS and wants to run workloads on Google Cloud. They need to isolate their production environment from development and enforce granular access controls. Which Google Cloud service should they use?

A.Cloud Armor
B.Cloud NAT
C.VPC Service Controls and IAM
D.Cloud VPN
AnswerC

VPC Service Controls create perimeters around resources to prevent data exfiltration; IAM manages user permissions.

Why this answer

Google Cloud's VPC Service Controls enable isolation of sensitive data in a VPC perimeter, while IAM provides granular access controls. Together they help meet compliance requirements.

626
MCQmedium

A healthcare organization wants to build an application that ingests FHIR-formatted patient records from multiple hospital systems, normalizes them, and makes them queryable by clinical researchers. Which Google Cloud service is purpose-built for healthcare data interoperability?

A.BigQuery — store FHIR JSON records and query them with SQL.
B.Cloud Healthcare API with FHIR store support.
C.Cloud SQL — store patient records in a relational schema.
D.Google Forms — collect patient data directly from hospitals via web forms.
AnswerB

Cloud Healthcare API natively supports FHIR R4, HL7v2, and DICOM. It provides a standards-compliant API layer for clinical data ingestion, normalization, and research access with built-in de-identification.

Why this answer

The Cloud Healthcare API with FHIR store support is purpose-built for healthcare data interoperability because it natively handles FHIR (Fast Healthcare Interoperability Resources) standards, including resource validation, versioning, and search. It provides a managed service that ingests, normalizes, and stores FHIR-formatted patient records from multiple hospital systems, enabling secure querying by clinical researchers without requiring custom ETL pipelines.

Exam trap

The GCDL exam often tests the misconception that any database (like BigQuery or Cloud SQL) can serve as a healthcare interoperability solution, but the trap here is that only the Cloud Healthcare API with FHIR store provides the native FHIR protocol support, validation, and compliance features required for healthcare data exchange.

How to eliminate wrong answers

Option A is wrong because BigQuery is a data warehouse for analytical queries, not a purpose-built healthcare interoperability service; it lacks native FHIR resource validation, versioning, and search capabilities, and storing raw FHIR JSON there would require custom parsing and normalization. Option C is wrong because Cloud SQL is a managed relational database service that does not support FHIR standards natively; storing patient records in a relational schema would require extensive schema design and mapping, defeating the purpose of interoperability. Option D is wrong because Google Forms is a survey tool for collecting user input via web forms, not designed for ingesting structured FHIR data from hospital systems; it cannot handle FHIR resource validation, API-based ingestion, or secure healthcare data exchange.

627
MCQmedium

A company currently uses Hadoop and Spark for batch data processing on a large on-premises cluster. They want to migrate these workloads to Google Cloud with minimal rewriting of existing Spark and Hadoop jobs. Which Google Cloud service is the best fit?

A.Cloud Dataflow — it runs all Spark and Hadoop jobs natively.
B.Cloud Dataproc — managed Apache Spark and Hadoop with minimal code changes.
C.BigQuery — it runs Spark SQL queries via BigQuery Spark stored procedures.
D.Google Kubernetes Engine — deploy Spark clusters on Kubernetes.
AnswerB

Dataproc runs native Spark, Hadoop, Hive, and Pig workloads. Existing jobs can be migrated with minimal changes by pointing them at Dataproc clusters and Cloud Storage instead of HDFS.

Why this answer

Cloud Dataproc is a managed service for running Apache Spark and Hadoop clusters on Google Cloud. It supports the same open-source versions of Spark and Hadoop that the company currently uses, allowing them to migrate their existing batch processing workloads with minimal code changes. This makes it the best fit for the stated requirement of minimal rewriting.

Exam trap

The GCDL exam often tests the misconception that Cloud Dataflow can run Spark/Hadoop jobs natively, when in fact it requires rewriting into Apache Beam, while Dataproc is the direct managed equivalent for these frameworks.

How to eliminate wrong answers

Option A is wrong because Cloud Dataflow does not run Spark or Hadoop jobs natively; it uses the Apache Beam SDK, which requires rewriting jobs into Beam pipelines. Option C is wrong because BigQuery is a serverless data warehouse for SQL analytics, not a platform for running Spark or Hadoop jobs; BigQuery Spark stored procedures are for executing Spark code within BigQuery, not for migrating existing Spark/Hadoop workloads. Option D is wrong because Google Kubernetes Engine (GKE) can run Spark on Kubernetes, but this requires containerizing the jobs and managing the Kubernetes infrastructure, which involves more rewriting and operational overhead than using Dataproc's native Spark/Hadoop support.

628
MCQeasy

A development team needs a managed relational database (MySQL or PostgreSQL) for their web application. They want automatic backups, patching, and high availability without managing a database server. Which Google Cloud service provides this?

A.Compute Engine with a self-managed MySQL installation.
B.Cloud SQL
C.Cloud Bigtable
D.Cloud Storage
AnswerB

Cloud SQL is a fully managed MySQL/PostgreSQL/SQL Server service. Google handles all infrastructure: patching, backups, HA with automatic failover, and monitoring.

Why this answer

Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL, and SQL Server. It handles automated backups, patching, and high availability (via regional failover replicas) without requiring the user to manage the underlying database server, directly matching the team's requirements.

Exam trap

Google Cloud often tests the distinction between managed and unmanaged services, and the trap here is that candidates may confuse Cloud SQL with Compute Engine self-managed setups, overlooking the 'without managing a database server' requirement.

How to eliminate wrong answers

Option A is wrong because Compute Engine with a self-managed MySQL installation requires the team to manually handle backups, patching, and high availability, contradicting the requirement to avoid managing a database server. Option C is wrong because Cloud Bigtable is a NoSQL, wide-column database service, not a managed relational database (MySQL or PostgreSQL). Option D is wrong because Cloud Storage is an object storage service, not a relational database, and does not provide SQL query capabilities or automatic database patching.

629
MCQmedium

A data engineering team needs to process streaming data from Cloud Pub/Sub, perform transformations, and write the results to BigQuery. The team requires exactly-once processing semantics and automatic scaling. Which service should they use?

A.Cloud Functions
B.Cloud Dataflow
C.Cloud Dataproc
D.BigQuery
AnswerB

Dataflow offers exactly-once processing, autoscaling, and direct Pub/Sub and BigQuery I/O for streaming.

Why this answer

Dataflow (Apache Beam) provides exactly-once processing, autoscaling, and native integration with Pub/Sub and BigQuery for streaming pipelines. Cloud Dataproc is for batch Spark/Hadoop, not streaming. Cloud Functions processes events one at a time without exactly-once guarantees across a pipeline.

BigQuery itself does not transform streaming data.

630
MCQmedium

A company wants to know: if Google Cloud experiences a data breach that exposes customer data, what are Google's notification obligations under standard Cloud service terms?

A.Google has no obligation to notify customers of data breaches — customers must discover breaches themselves.
B.Google will notify affected customers of personal data breaches without undue delay per its Data Processing Addendum, enabling customers to meet their own regulatory notification obligations.
C.Google will notify all media outlets immediately upon breach detection to maximize transparency.
D.Breach notification is only available to customers with Premium support tier.
AnswerB

Google's Cloud DPA commits to breach notification. This enables customers to fulfill their own obligations (GDPR requires notifying authorities within 72 hours and affected individuals without undue delay).

Why this answer

Option B is correct because Google Cloud's standard Data Processing Addendum (DPA) contractually obligates Google to notify affected customers of personal data breaches without undue delay after confirmation. This enables customers to fulfill their own regulatory notification requirements under laws like GDPR or CCPA, as the customer remains the data controller responsible for end-user notifications.

Exam trap

The trap here is that candidates assume breach notification is optional or premium-only, but Google Cloud's standard DPA makes it a contractual right for all customers, regardless of support tier.

How to eliminate wrong answers

Option A is wrong because Google Cloud's DPA explicitly includes breach notification obligations, so customers are not left to discover breaches themselves. Option C is wrong because Google notifies affected customers, not media outlets; notifying media is not a standard contractual obligation and would violate data confidentiality. Option D is wrong because breach notification is a standard feature included in the DPA for all customers, not gated behind a Premium support tier.

631
MCQeasy

A project manager wants a cost-effective way to run batch processing jobs that run for a few hours each night. The jobs are fault-tolerant and can be interrupted. Which Compute Engine option is most suitable?

A.N2 high-CPU VMs
B.Regular VMs with committed use discounts
C.Sole-tenant nodes
D.Preemptible VMs
AnswerD

Preemptible VMs are significantly cheaper and can be terminated at any time, but suitable for fault-tolerant batch jobs.

Why this answer

Preemptible VMs are Compute Engine instances that last up to 24 hours and can be terminated at any time by Google Cloud, making them ideal for fault-tolerant, interruptible batch jobs that run for a few hours each night. They offer up to 80% cost savings compared to regular VMs, which aligns perfectly with the project manager's requirement for a cost-effective solution.

Exam trap

Google Cloud often tests the misconception that preemptible VMs are only for short-lived tasks, but the trap here is that candidates overlook the 'fault-tolerant and can be interrupted' requirement and choose committed use discounts, failing to recognize that preemptible VMs are the most cost-effective option for nightly batch jobs that can handle interruptions.

How to eliminate wrong answers

Option A is wrong because N2 high-CPU VMs are general-purpose instances optimized for compute-intensive workloads, but they do not provide the cost savings needed for interruptible batch jobs; they are billed at standard on-demand rates. Option B is wrong because regular VMs with committed use discounts require a 1- or 3-year commitment, which is not cost-effective for jobs that run only a few hours each night and do not guarantee 24/7 usage. Option C is wrong because sole-tenant nodes are dedicated physical servers for compliance or licensing needs, which incur higher costs and are unnecessary for fault-tolerant batch processing that can run on shared infrastructure.

632
MCQeasy

A company needs to analyze streaming data from IoT devices in real time. Which Google Cloud service should they use as the primary ingestion and analysis pipeline?

A.BigQuery
B.Cloud Storage
C.Dataflow
D.Cloud Pub/Sub
AnswerC

Dataflow provides stream and batch processing, ideal for real-time streaming pipelines with low latency.

Why this answer

Dataflow is the correct choice because it provides a unified stream and batch processing model based on Apache Beam, enabling real-time ingestion and analysis of streaming IoT data with exactly-once processing semantics and automatic scaling. BigQuery is a data warehouse for analytics on stored data, not a real-time ingestion pipeline. Cloud Storage is an object store for static data, not a streaming pipeline.

Cloud Pub/Sub is a messaging service for ingestion but lacks built-in analysis capabilities.

Exam trap

Google Cloud often tests the misconception that Cloud Pub/Sub alone is sufficient for real-time analysis, but the trap is that Pub/Sub is only a messaging layer and lacks built-in processing capabilities, so candidates must recognize that Dataflow is required for the analysis pipeline.

How to eliminate wrong answers

Option A is wrong because BigQuery is a serverless data warehouse designed for analytical queries on large datasets, not for real-time streaming ingestion and processing; it can ingest streaming data via the Storage Write API but requires a separate pipeline service like Dataflow for transformation and analysis. Option B is wrong because Cloud Storage is an object storage service for storing immutable blobs, not a streaming data pipeline; it cannot process or analyze data in real time. Option D is wrong because Cloud Pub/Sub is a scalable messaging middleware for ingesting and delivering event streams, but it does not perform data transformation, aggregation, or analysis; it must be paired with a processing service like Dataflow to build a complete pipeline.

633
MCQeasy

A traditional brick-and-mortar bookstore chain wants to use cloud technology to compete with online retailers. The store manager proposes putting all store inventory data in the cloud. The digital transformation advisor says this is only the first step. What does the advisor mean?

A.The company also needs to migrate its email to a cloud-based provider before transformation is complete
B.Storing data in the cloud is infrastructure migration; transformation means using that data and cloud capabilities to create new customer experiences, personalized recommendations, omnichannel shopping, and demand prediction
C.The company must also migrate its accounting software to the cloud before claiming digital transformation
D.Cloud storage alone cannot store inventory data; additional specialized database services are required
AnswerB

The advisor is making the crucial distinction between data migration (step 1) and business transformation (the goal). Cloud-hosted inventory data enables: app-based real-time stock checks, personalized recommendations using purchase history, demand forecasting to optimize buying, and online ordering with in-store pickup. That's the transformation.

Why this answer

Option B is correct because digital transformation goes beyond mere infrastructure migration (like moving data to the cloud). True transformation leverages cloud-native capabilities—such as serverless compute, AI/ML services, and real-time analytics—to reimagine business processes. In this scenario, storing inventory data in the cloud is just the first step; the bookstore must use that data to build personalized recommendation engines, omnichannel inventory visibility, and demand forecasting models, which fundamentally change how the business operates and competes.

Exam trap

The GCDL exam often tests the distinction between 'infrastructure migration' (lift-and-shift) and 'digital transformation' (using cloud services to fundamentally change business processes), and the trap here is that candidates mistake any cloud adoption—like moving data or email—for transformation, when transformation requires leveraging cloud-native capabilities to create new value.

How to eliminate wrong answers

Option A is wrong because migrating email to a cloud provider is also an infrastructure migration, not a transformation; it does not create new customer experiences or business models. Option C is wrong because moving accounting software to the cloud is another example of lift-and-shift, not a reimagining of the bookstore's core retail operations or customer engagement. Option D is wrong because cloud storage (e.g., Amazon S3 or Azure Blob Storage) can indeed store inventory data; the advisor's point is not about technical feasibility but about the need to use that data for higher-order business innovation.

634
MCQhard

An engineer wants to export billing cost data to BigQuery for custom reporting. They have created a BigQuery dataset and linked it to the billing account. However, the billing export tables are not being populated. What is the most likely cause?

A.The billing export has not been enabled in the Cloud Console
B.The engineer does not have the Billing Administrator IAM role
C.The BigQuery dataset is in a different location from the billing account's default region
D.The billing account is not linked to the project containing the BigQuery dataset
AnswerC

Billing export requires the dataset to be in the same multi-regional location (US or EU) as the billing account.

Why this answer

Billing export to BigQuery requires the billing account to be linked to a project that contains the dataset, and the dataset must be in the same location (e.g., US or EU) as the billing account's default region.

635
MCQmedium

An engineer wants to analyze historical spending trends and break down costs by project, region, and service. They need to run complex SQL queries on the billing data. What is the recommended approach?

A.Enable billing export to BigQuery and query the exported tables
B.Set up a budget alert to receive cost reports daily
C.Use the Cloud Billing API to programmatically fetch cost data
D.Download the monthly invoice CSV and import it into Sheets
AnswerA

Billing export to BigQuery provides structured tables that can be queried with SQL for detailed analysis.

Why this answer

Billing export to BigQuery sends detailed billing information (e.g., usage, cost, project, labels) into BigQuery tables, enabling complex SQL analysis.

636
MCQmedium

A company's application experiences a P1 (critical) production incident at 2 AM on a Sunday. The on-call engineer resolves the issue after 3 hours but isn't sure which team members to contact or what steps to follow during an incident. What operational practice and tooling would have helped manage this incident better?

A.Increase the application's max_instances so it scales to handle the issue automatically.
B.Establish a documented incident response process with defined roles, escalation paths, and runbooks, supported by on-call rotation tooling and Cloud Monitoring alerting.
C.Move all production deployments to Sunday nights to avoid weekday incident risk.
D.Disable monitoring alerts to prevent false alarms that wake engineers unnecessarily.
AnswerB

Incident response process defines what to do and who to involve. Runbooks provide step-by-step guidance. On-call rotation ensures 24/7 coverage. Cloud Monitoring alerting ensures rapid notification.

Why this answer

Option B is correct because a documented incident response process with defined roles, escalation paths, and runbooks ensures that the on-call engineer knows exactly whom to contact and what steps to follow during a P1 incident. Combined with on-call rotation tooling (e.g., PagerDuty, Opsgenie) and Cloud Monitoring alerting, this practice reduces mean time to acknowledge (MTTA) and mean time to resolve (MTTR) by providing clear, repeatable procedures. Without such a process, the engineer wasted time determining the response, which a runbook would have eliminated.

Exam trap

Google Cloud often tests the misconception that scaling or automation alone can replace a documented incident response process, but the question explicitly asks about operational practice and tooling for managing the incident, not just fixing the technical issue.

How to eliminate wrong answers

Option A is wrong because increasing max_instances only addresses scaling under load, not the lack of an incident response process; it does not help the engineer know whom to contact or what steps to follow. Option C is wrong because moving deployments to Sunday nights does not resolve the core issue of missing incident management procedures; it merely shifts the timing and could increase risk if a deployment causes the incident. Option D is wrong because disabling monitoring alerts would prevent detection of the incident altogether, worsening the problem rather than improving the response process.

637
MCQhard

A financial services firm must store customer transaction logs for 7 years to comply with regulatory requirements. The data must be immutable after writing, and access should be restricted to authorized auditors only. Which storage solution and configuration should they use?

A.Cloud Storage with object versioning enabled
B.Cloud Storage with object lifecycle management to delete objects after 7 years
C.Cloud Storage with object holds placed on each object
D.Cloud Storage with a retention policy set to 7 years
AnswerD

Retention policy (Bucket Lock) makes objects immutable for the specified duration, satisfying compliance.

Why this answer

Cloud Storage with a retention policy (e.g., using Bucket Lock) makes objects immutable for a fixed period. Lifecycle management deletes objects, object versioning maintains versions, and object holds prevent deletion but allow overwrites.

638
MCQhard

A company runs workloads across Google Cloud and on-premises environments. They want a single management plane to deploy and manage containerized applications consistently across both environments using the same tooling and policies. Which Google Cloud product provides this unified hybrid/multi-cloud management?

A.Cloud Interconnect — it connects on-premises to Google Cloud.
B.Anthos — Google's hybrid and multi-cloud application management platform.
C.Google Distributed Cloud — runs Google Cloud services inside the customer's data center.
D.Cloud Deployment Manager — deploys resources via infrastructure-as-code templates.
AnswerB

Anthos extends GKE management to on-premises and other clouds. A single Anthos control plane manages containerized workloads everywhere with consistent policies, service mesh, and observability.

Why this answer

Anthos is Google Cloud's hybrid and multi-cloud application management platform that provides a single control plane for deploying and managing containerized applications consistently across on-premises and cloud environments. It uses GKE on-prem and Anthos Config Management to enforce uniform policies, service mesh, and CI/CD pipelines, enabling the unified management described in the scenario.

Exam trap

The trap here is that candidates confuse network connectivity (Cloud Interconnect) or edge-specific solutions (Google Distributed Cloud) with a unified management plane, overlooking Anthos's role as the integrated platform for consistent container orchestration and policy enforcement across hybrid environments.

How to eliminate wrong answers

Option A is wrong because Cloud Interconnect is a dedicated network connectivity service (using VLAN attachments or partner interconnects) that links on-premises to Google Cloud, but it does not provide any application management or container orchestration plane. Option C is wrong because Google Distributed Cloud (formerly GDC) runs Google Cloud services inside the customer's data center but is focused on air-gapped or edge scenarios with a separate control plane, not a unified hybrid management plane for containerized applications across both environments. Option D is wrong because Cloud Deployment Manager is an infrastructure-as-code tool that uses YAML templates to deploy Google Cloud resources, but it does not manage containerized applications consistently across hybrid environments or provide a unified control plane.

639
MCQmedium

A data analyst needs to run ad-hoc SQL queries on a large dataset stored in Cloud Storage. The data is in CSV format and does not require real-time results. Which Google Cloud service should they use?

A.BigQuery
B.Dataflow
C.Cloud SQL
D.Cloud Dataproc
AnswerA

BigQuery can query external data in Cloud Storage directly using external tables, ideal for ad-hoc SQL analysis.

Why this answer

BigQuery supports external data sources; you can create an external table pointing to CSV files in Cloud Storage and run SQL queries without loading the data. This is ideal for ad-hoc analysis on existing data.

640
MCQeasy

A startup wants to automatically rotate encryption keys used for Cloud Storage objects every 90 days. Which service should they use?

A.Use Cloud Secret Manager to store and rotate encryption keys
B.Use default Cloud Storage encryption (SSE-GCP)
C.Use Cloud HSM to store keys and rotate manually
D.Use Cloud Key Management Service (KMS) with automatic rotation schedule
AnswerD

Cloud KMS allows setting a rotation period for customer-managed keys.

Why this answer

Option D is correct because Cloud KMS supports automatic key rotation with a configurable rotation period (e.g., every 90 days). When you create a key ring and key in Cloud KMS, you can set a rotation schedule, and Cloud KMS will automatically generate a new key version on the specified date. This allows the startup to meet the 90-day rotation requirement without manual intervention, and the new key version is used for encrypting new Cloud Storage objects while old versions remain available for decrypting existing data.

Exam trap

The trap here is that candidates often confuse Cloud Secret Manager (which stores secrets but does not rotate encryption keys automatically) with Cloud KMS (which provides automatic key rotation), or they assume that default Google-managed encryption (SSE-GCP) allows customer-controlled rotation schedules, which it does not.

How to eliminate wrong answers

Option A is wrong because Cloud Secret Manager is designed to store and manage secrets (e.g., API keys, passwords), not to rotate encryption keys for Cloud Storage objects; it lacks native automatic rotation scheduling for encryption keys. Option B is wrong because default Cloud Storage encryption (SSE-GCP) uses Google-managed keys that are rotated automatically by Google, but the customer cannot control or schedule the rotation period (e.g., 90 days); the rotation frequency is not configurable. Option C is wrong because Cloud HSM provides hardware-backed key storage but does not support automatic rotation; keys stored in Cloud HSM must be rotated manually, which contradicts the requirement for automatic rotation every 90 days.

641
MCQmedium

A company wants to receive a 15-minute response time for Priority 1 production issues and have a dedicated Technical Account Manager. Which support plan should they purchase?

A.Enhanced
B.Premium
C.Basic
D.Standard
AnswerB

Premium meets all requirements.

Why this answer

The Premium support plan offers a 15-minute response time for P1 issues and includes a Technical Account Manager (TAM).

642
MCQeasy

Which Google Cloud tool allows customers to measure the gross carbon emissions associated with their Google Cloud usage?

A.Google Cloud's Sustainability API
B.Carbon Footprint dashboard in the Google Cloud Console
C.Cloud Monitoring
D.Cloud Audit Logs
AnswerB

Cloud Carbon Footprint reports carbon emissions of GCP usage.

Why this answer

The Cloud Carbon Footprint tool provides visibility into the gross carbon emissions associated with a customer's Google Cloud usage.

643
MCQeasy

Which term describes the model where the cloud provider is responsible for the security of the cloud infrastructure, while the customer is responsible for security within their own cloud environment (data, applications, access management)?

A.Zero trust security model
B.Shared responsibility model
C.Defense in depth strategy
D.Identity federation model
AnswerB

The shared responsibility model defines that Google Cloud secures the infrastructure ('security of the cloud') while customers secure their data and applications ('security in the cloud').

Why this answer

The shared responsibility model defines the division of security responsibilities between the cloud provider and the customer. Google secures the physical infrastructure, hardware, hypervisor, and core services. The customer secures what they put in the cloud: data classification, access control, application security, network configuration, and compliance.

The boundary between provider and customer responsibility varies by service model (IaaS vs. PaaS vs. SaaS).

644
Multi-Selecthard

A security team needs to implement a zero-trust architecture for a web application that is accessed by both internal employees and external partners. They require context-aware access that checks device posture and identity. Which THREE components should they use? (Choose three.)

Select 3 answers
A.Identity-Aware Proxy (IAP)
B.VPC firewall rules
C.Access levels (context-aware conditions)
D.BeyondCorp Enterprise
E.Cloud Armor
AnswersA, C, D

Correct. IAP enforces access based on identity and context.

Why this answer

BeyondCorp Enterprise provides the zero-trust framework, including device and identity verification. Identity-Aware Proxy (IAP) is a key component that enforces access based on context. Access levels in IAP define conditions (e.g., device posture, IP range) that must be met for access.

Cloud Armor is for DDoS/WAF, not context-aware access. VPC firewall rules are network-level, not user-level. Chronicle is a SIEM.

645
MCQeasy

Which Google Cloud service can be used to create and manage virtual networks, subnets, firewall rules, and VPN connections?

A.Cloud Armor
B.Cloud Load Balancing
C.Cloud VPC
D.Cloud CDN
AnswerC

Cloud VPC provides virtual networking with subnets, firewalls, and VPN.

Why this answer

Cloud VPC (Virtual Private Cloud) provides networking capabilities including subnets, firewalls, and VPNs.

646
MCQmedium

A company runs a critical application on Compute Engine in us-central1. They plan to create a disaster recovery (DR) site in us-west1 that can be activated within minutes if the primary region fails. What is the most cost-effective DR strategy that meets the recovery time objective (RTO) of 30 minutes?

A.Cold standby with regular backups to Cloud Storage.
B.Warm standby in us-west1 with preemptible VMs and persistent disk snapshots.
C.Active-active deployment in both regions with load balancing.
D.Use a managed instance group in us-west1 with replication from the primary.
AnswerB

Snapshots can be used to create disks quickly, and preemptible VMs reduce cost.

Why this answer

Option B is correct because a warm standby using preemptible VMs and persistent disk snapshots provides a cost-effective DR solution that can be activated within minutes. Preemptible VMs are significantly cheaper than regular VMs, and persistent disk snapshots stored in Cloud Storage can be restored quickly to create new disks in us-west1, meeting the 30-minute RTO without the high cost of an always-on active-active deployment.

Exam trap

Google Cloud often tests the misconception that 'warm standby' always means running full instances, but here preemptible VMs combined with snapshots provide a low-cost warm standby that can be activated quickly, unlike cold standby which is too slow or active-active which is too expensive.

How to eliminate wrong answers

Option A is wrong because cold standby with regular backups to Cloud Storage typically has a much longer RTO (hours to days) due to the time required to restore full backups and provision infrastructure, failing the 30-minute RTO. Option C is wrong because active-active deployment in both regions with load balancing is the most expensive option, as it requires running full production capacity in both regions continuously, which is not cost-effective for a DR-only requirement. Option D is wrong because a managed instance group in us-west1 with replication from the primary implies continuous replication and running instances, which incurs ongoing costs similar to active-active, and does not leverage cost-saving measures like preemptible VMs or snapshot-based recovery.

647
MCQeasy

Which Google Cloud service provides a fully managed SIEM solution for log analysis, threat detection, and incident response?

A.Chronicle
B.Security Command Center
C.Operations Suite
D.Cloud Logging
AnswerA

Chronicle is Google Cloud's SIEM platform for log analysis and threat detection.

Why this answer

Chronicle is Google's SIEM offering that ingests logs and telemetry for security analytics.

648
MCQhard

A legacy on-premises application requires manual intervention for scaling and incurs high maintenance costs. The company wants to transform by adopting a microservices architecture on Google Cloud. Which Google Cloud service is most suitable for running containerized microservices in a managed environment?

A.Cloud Functions
B.App Engine
C.Google Kubernetes Engine (GKE)
D.Compute Engine
AnswerC

GKE is optimized for managing containerized microservices with autoscaling and self-healing.

Why this answer

Option C is correct because Google Kubernetes Engine (GKE) is a managed Kubernetes service designed for container orchestration, ideal for microservices. Compute Engine (A) is IaaS, Cloud Functions (B) is serverless functions, and App Engine (D) is PaaS for web applications.

649
MCQmedium

A company wants to migrate an on-premises PostgreSQL database to Google Cloud with minimal changes to the application code. They also require high availability with automatic failover. Which service should they use?

A.AlloyDB
B.Cloud Spanner
C.Cloud SQL
D.Compute Engine with PostgreSQL
AnswerC

Cloud SQL for PostgreSQL offers managed PostgreSQL with HA and automatic failover, minimal code changes.

Why this answer

Cloud SQL for PostgreSQL provides a managed PostgreSQL service with automatic failover, read replicas, and high availability (HA) configuration. AlloyDB is PostgreSQL-compatible but is designed for high-performance analytical workloads and may require some application changes. Compute Engine would require manual setup.

650
MCQmedium

A company runs batch analytics jobs every night using Apache Spark on a cluster. The jobs require 100 vCPUs and run for 3 hours. The cluster must be created, run, and then shut down automatically to minimise cost. Which service should they use?

A.Cloud Dataflow
B.Cloud Dataproc
C.Google Kubernetes Engine (GKE)
D.Compute Engine with managed instance groups
AnswerB

Cloud Dataproc supports job-scoped clusters that automatically terminate after job completion, minimising cost.

Why this answer

Cloud Dataproc is a managed Spark/Hadoop service that supports job-scoped clusters: you define a cluster configuration, submit a job, and the cluster is automatically deleted after completion. Compute Engine requires manual management. Dataflow is for Beam, not Spark.

GKE is generic Kubernetes, not optimised for Spark batch jobs.

651
MCQmedium

A product team is discussing how to handle a planned 48-hour maintenance window for a critical customer-facing service. The SRE team argues the maintenance window is unnecessary with proper cloud architecture. Which cloud capability eliminates the need for planned downtime maintenance windows?

A.Longer maintenance windows scheduled during off-peak hours to minimize customer impact
B.Zero-downtime deployment strategies like rolling updates and blue/green deployments, combined with cloud live migration for infrastructure maintenance
C.Notifying customers in advance of the maintenance window and offering service credits for the downtime
D.Backing up all data before the maintenance window to ensure recovery if something goes wrong
AnswerB

This is the architectural answer to planned downtime. Rolling updates deploy new code gradually (some instances get new version while others serve traffic). Blue/green deployments switch traffic atomically. Live migration moves VMs between physical hosts for maintenance without rebooting. Together, these eliminate the need for maintenance windows.

Why this answer

Option B is correct because cloud platforms like Google Cloud support zero-downtime deployment strategies (rolling updates, blue/green deployments) and live migration for infrastructure maintenance. Live migration transparently moves running VMs between hosts without interrupting the OS or applications, while blue/green deployments allow traffic to be switched to a fully updated environment before the old one is taken down. Together, these capabilities eliminate the need for planned downtime maintenance windows entirely.

Exam trap

The trap here is that candidates confuse 'reducing impact' (options A, C, D) with 'eliminating downtime' (option B), failing to recognize that only architectural strategies like live migration and zero-downtime deployments remove the need for a maintenance window altogether.

How to eliminate wrong answers

Option A is wrong because scheduling longer maintenance windows during off-peak hours still requires planned downtime, which contradicts the goal of eliminating it entirely. Option C is wrong because notifying customers and offering service credits does not prevent downtime; it only compensates for it after the fact. Option D is wrong because backing up data before a maintenance window is a recovery measure, not a prevention strategy, and does not eliminate the need for downtime during the maintenance.

652
MCQeasy

An engineer needs to deploy a web application that runs on a custom runtime (e.g., Ruby on Rails with system dependencies). The application must automatically scale based on traffic and should not require managing the underlying infrastructure. Which Google Cloud compute service is MOST appropriate?

A.App Engine Standard environment
B.Cloud Run
C.App Engine Flexible environment
D.Cloud Functions
AnswerC

App Engine Flexible allows custom runtimes via Docker containers, scales automatically, and is fully managed.

Why this answer

App Engine Flexible environment supports custom runtimes via Docker containers, allowing any web framework. It automatically scales and is fully managed. App Engine Standard only supports predefined runtimes.

Cloud Run is serverless but not designed for long-running web apps with custom runtimes? Actually Cloud Run also supports custom containers, but App Engine Flexible is a PaaS that handles scaling, updates, and load balancing out of the box. However, Cloud Run is also a good candidate. But the question says 'MOST appropriate' for a web app with custom runtime and automatic scaling without managing infrastructure.

App Engine Flexible is a PaaS specifically for web apps, while Cloud Run is more for containerised microservices. The key difference: App Engine Flexible offers a managed environment with health checks, automatic scaling based on request latency, and session affinity. Cloud Run is also serverless and can serve web apps, but it is more focused on containers.

Considering the description 'web application' and 'custom runtime', App Engine Flexible is the classic choice. But note: Cloud Run also qualifies. However, the question says 'should not require managing the underlying infrastructure', both are serverless.

But App Engine Flexible is a PaaS that abstracts away the container orchestration. I think the intended answer is App Engine Flexible. However, Cloud Run is also correct? Let's see the options: Cloud Functions is not for web apps, Compute Engine requires managing VMs.

So between App Engine Standard and Flexible, Standard does not allow custom runtimes. So Flexible is correct.

653
MCQhard

A company uses Cloud SQL for MySQL to store transactional data. They want to run complex analytical queries that join multiple tables and aggregate millions of rows, but the queries are slow and impacting production performance. They need a solution that minimises impact on the transactional database. What is the BEST approach?

A.Create a Cloud SQL read replica and run analytical queries on the replica
B.Upgrade the primary Cloud SQL instance to a higher machine type
C.Export the data to Cloud Storage and load it into BigQuery for analysis
D.Enable Cloud SQL query caching on the primary instance
AnswerA

A read replica offloads read-only queries from the primary, protecting transactional performance.

Why this answer

Setting up a read replica in Cloud SQL moves analytical queries off the primary instance, preventing performance impact. BigQuery is designed for analytics but would require data export/import, adding latency. Enabling query caching only helps repeated identical queries.

Increasing machine type helps but doesn't fully isolate analytical workload.

654
MCQhard

An organization needs to store archival data that must be retained for 10 years for compliance. Access to this data is expected to be less than once a year, and retrieval can take up to 24 hours. Which Cloud Storage class is the MOST cost-effective for this data?

A.Coldline storage class
B.Nearline storage class
C.Archive storage class
D.Standard storage class
AnswerC

Archive is the cheapest, designed for data accessed less than once a year, with retrieval times up to 24 hours.

Why this answer

Archive storage is the lowest-cost class designed for long-term preservation with retrieval times in hours.

655
MCQmedium

A company's operations team needs visibility into network traffic patterns, latency between services, and potential network bottlenecks across their Google Cloud deployment. Which Google Cloud product provides network performance monitoring, connectivity testing, and traffic analysis?

A.Cloud Armor, which provides DDoS protection and traffic filtering
B.Network Intelligence Center, which provides network topology visualization, connectivity testing, firewall analysis, and performance monitoring
C.Cloud DNS, which translates domain names to IP addresses
D.Cloud VPN, which creates encrypted tunnels between cloud and on-premises networks
AnswerB

Network Intelligence Center is the correct answer. It includes: Topology module (visualizes network connections), Connectivity Tests (tests reachability between endpoints), Firewall Insights (analyzes firewall rule usage), and Performance Dashboard (shows latency and packet loss). This directly addresses the network visibility requirement.

Why this answer

The Network Intelligence Center is the correct choice because it is a Google Cloud-native product specifically designed to provide network performance monitoring (latency, packet loss, throughput), connectivity testing (Connectivity Tests), and traffic analysis (Flow Tracer, Firewall Insights). It offers a unified dashboard for visualizing network topology, analyzing firewall rules, and diagnosing connectivity issues across VPCs, hybrid clouds, and on-premises environments, directly addressing the need for visibility into traffic patterns and bottlenecks.

Exam trap

The trap here is that candidates may confuse Cloud Armor's traffic filtering with network performance monitoring, or assume that Cloud VPN's encrypted tunnels inherently provide visibility into traffic patterns, when in fact neither product offers the diagnostic and monitoring capabilities of Network Intelligence Center.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) and DDoS protection service that filters incoming traffic based on security rules; it does not provide network performance monitoring, latency analysis, or connectivity testing. Option C is wrong because Cloud DNS is a managed DNS service that resolves domain names to IP addresses; it has no capability for network traffic analysis, latency monitoring, or bottleneck detection. Option D is wrong because Cloud VPN creates encrypted IPsec tunnels for secure connectivity between cloud and on-premises networks; it does not offer performance monitoring, traffic analysis, or connectivity testing features.

656
MCQeasy

Which Google Cloud security layer is responsible for protecting data stored on disk using either Google-managed or customer-managed encryption keys?

A.Operational security
B.Infrastructure security
C.Data security
D.Hardware security
AnswerC

Data security includes encryption at rest, encryption in transit, and data loss prevention.

Why this answer

Data encryption at rest is a core component of data security, ensuring data stored on disk is encrypted. Google Cloud encrypts all data at rest by default using Google-managed keys, with options for CMEK and CSEK.

657
Multi-Selecteasy

Which THREE of the following are compute services offered by Google Cloud? (Choose exactly 3.)

Select 3 answers
A.Compute Engine
B.Cloud Functions
C.Cloud Storage
D.App Engine
E.Cloud SQL
AnswersA, B, D

IaaS virtual machines.

Why this answer

Compute Engine is a core Google Cloud compute service that provides virtual machines (VMs) running on Google's infrastructure. It allows you to create and manage VM instances with custom machine types, persistent disks, and networking configurations, making it a fundamental compute offering for running general-purpose workloads.

Exam trap

The trap here is that candidates confuse storage and database services (Cloud Storage, Cloud SQL) with compute services, because all are part of Google Cloud's core offerings, but only services that execute code or run applications qualify as compute.

658
Multi-Selectmedium

A company runs a stateful web application on Compute Engine. They need to ensure that persistent data is retained if an instance fails, and that traffic is automatically distributed across healthy instances. Which TWO Google Cloud services should they use? (Choose 2)

Select 2 answers
A.Cloud DNS
B.Persistent Disk
C.Cloud Load Balancing
D.Cloud CDN
E.Cloud NAT
AnswersB, C

Persistent Disk stores data independently of the instance, ensuring data persistence.

Why this answer

Persistent Disk provides durable block storage that can be attached to Compute Engine instances, retaining data even if the instance terminates. Cloud Load Balancing distributes traffic across a managed instance group and automatically routes traffic away from failed instances. Cloud DNS resolves domain names but does not provide load balancing.

Cloud CDN caches content. Cloud NAT is for outbound connectivity.

659
MCQmedium

Given the Cloud Run service configuration above, what happens when a new revision is created after deploying a change to the container image?

A.Traffic is split evenly between the old and new revision.
B.The service becomes unavailable until the new revision is ready.
C.Cloud Run automatically creates a new revision and routes traffic to it.
D.The new revision receives all traffic automatically.
E.Traffic continues to go to the old revision until the traffic section is updated.
AnswerE

The configuration explicitly routes traffic to a specific revision, so new revisions are not served until the traffic section is modified.

Why this answer

Option E is correct because Cloud Run, by default, does not automatically shift traffic to a new revision. When you deploy a change, a new revision is created, but it receives 0% of traffic until you explicitly update the traffic configuration (e.g., via the console, gcloud run deploy --no-traffic, or the traffic section). This allows you to test the new revision before directing any live requests to it.

Exam trap

Google Cloud often tests the misconception that Cloud Run automatically routes all traffic to the latest revision, but the default behavior actually depends on how you deploy—using --no-traffic leaves the new revision at 0% traffic, and even without that flag, the traffic update is part of the same deployment operation, not an automatic background process.

How to eliminate wrong answers

Option A is wrong because Cloud Run does not automatically split traffic evenly; traffic splitting is a manual configuration and defaults to 100% on the latest revision only if you use the default deployment behavior (which actually sends all traffic to the new revision, but only if you don't use --no-traffic). Option B is wrong because Cloud Run supports zero-downtime deployments; the service remains available on the old revision while the new revision is being created and warmed up. Option C is wrong because while Cloud Run does create a new revision automatically, it does not automatically route traffic to it; traffic routing is a separate, manual step.

Option D is wrong because the new revision does not receive all traffic automatically; by default, it receives 0% traffic unless you explicitly configure it to receive traffic or use the default deployment without --no-traffic (which actually does send all traffic, but the question's context implies a scenario where traffic is not automatically routed, as per the correct answer).

660
MCQmedium

A company's cloud costs have grown faster than its business. The FinOps team is implementing cloud cost governance. Which practice most effectively ensures that individual teams are accountable for their cloud spending?

A.Requiring all teams to use only the cheapest available cloud service options regardless of technical requirements
B.Implementing consistent resource labeling and chargeback reporting so each team's cloud spending is visible and attributed to them
C.Consolidating all cloud accounts under a single centralized IT team that controls all cloud resource creation
D.Disabling all non-production environments to eliminate spending outside of production
AnswerB

Labeling (attaching team/product/cost center metadata to every cloud resource) enables per-team cost attribution from billing data. Chargeback transfers the cost to the team's budget; showback provides visibility. Both create accountability by making spending visible and personally consequential to the team that incurs it.

Why this answer

Option B is correct because implementing consistent resource labeling and chargeback reporting directly enables cost attribution to individual teams. In Google Cloud, labels are key-value pairs attached to resources, and when combined with billing export to BigQuery, they allow granular cost breakdowns per team. This creates clear accountability by making each team's spending visible and chargeable back to their budget, which is the core principle of cloud cost governance.

Exam trap

Google Cloud often tests the misconception that cost governance is about restricting spending (options A, C, D) rather than enabling visibility and accountability through attribution mechanisms like labeling and chargeback.

How to eliminate wrong answers

Option A is wrong because forcing all teams to use the cheapest cloud service options regardless of technical requirements can lead to performance degradation, security vulnerabilities, or non-compliance, and it does not foster accountability—it imposes a blanket restriction that ignores workload-specific needs. Option C is wrong because consolidating all cloud accounts under a single centralized IT team that controls all resource creation removes team autonomy and creates a bottleneck, which often leads to shadow IT as teams bypass controls, and it does not make individual teams accountable for their spending. Option D is wrong because disabling all non-production environments eliminates testing and development, which are essential for innovation and quality assurance, and it does not address cost governance—it only cuts costs at the expense of business operations.

661
MCQeasy

A developer wants to run her application code without managing any servers, operating systems, or runtime environments. She wants to focus entirely on writing business logic. Which cloud service model best fits this requirement?

A.Infrastructure as a Service (IaaS), where the developer provisions virtual machines and installs the runtime
B.Platform as a Service (PaaS), where the developer deploys code to a managed platform that handles the OS and runtime
C.Serverless / Functions as a Service (FaaS), where the developer writes and deploys code functions and the provider manages all underlying infrastructure automatically
D.Software as a Service (SaaS), where the developer uses a fully managed application built by the cloud provider
AnswerC

FaaS/serverless is the model where the developer's only concern is the business logic in the function. There are no servers to configure, no OS to patch, no capacity to plan. The runtime is automatically managed and scaled by the provider.

Why this answer

Serverless/FaaS (Option C) is the correct choice because it abstracts away all server, OS, and runtime management, allowing the developer to deploy individual functions that execute in response to events. The cloud provider automatically scales and manages the underlying infrastructure, so the developer writes only business logic without provisioning or patching anything.

Exam trap

Google Cloud often tests the distinction between PaaS and FaaS by describing a scenario where the developer wants to avoid managing servers and runtimes, leading candidates to choose PaaS because it abstracts the OS, but the key difference is that FaaS also eliminates runtime management and allows function-level granularity, which PaaS does not fully achieve.

How to eliminate wrong answers

Option A is wrong because IaaS requires the developer to provision and manage virtual machines, install the OS, configure the runtime, and handle patching—contradicting the requirement to avoid server and OS management. Option B is wrong because PaaS still involves managing the runtime environment (e.g., choosing a runtime version, configuring scaling rules) and the developer must deploy an entire application, not just functions; it does not eliminate all infrastructure concerns as FaaS does. Option D is wrong because SaaS provides a fully built application that the developer uses, not a platform for writing and deploying custom business logic.

662
Multi-Selecteasy

Which TWO of the following are common use cases for deploying workloads to the cloud? (Choose 2)

Select 2 answers
A.High-frequency trading requiring microsecond latency
B.Air-gapped, classified workloads with no internet connection
C.Running a legacy mainframe application that requires dedicated hardware
D.Running a global SaaS application for customers worldwide
E.Data backup and disaster recovery
AnswersD, E

Cloud enables global distribution and easy scaling.

Why this answer

Option D is correct because cloud platforms like AWS, Azure, and GCP provide global infrastructure with multiple regions and edge locations, enabling SaaS applications to serve customers worldwide with low latency via CDNs and load balancers. Option E is correct because cloud storage services (e.g., Amazon S3, Azure Blob Storage) offer durable, cost-effective off-site backup and automated disaster recovery through replication across Availability Zones or Regions, often with 99.999999999% durability.

Exam trap

Google Cloud often tests the misconception that 'cloud is suitable for all workloads,' but the trap here is that candidates may select options like A or C because they sound like 'advanced' use cases, failing to recognize that cloud's shared infrastructure and network dependency make it unsuitable for ultra-low-latency or air-gapped scenarios.

663
MCQmedium

A financial services company is required to keep all data within a specific geographic region for regulatory compliance. They plan to deploy a globally distributed application using Cloud Spanner. How should they configure Cloud Spanner to meet this compliance requirement?

A.Use a multi-region configuration with a write region in the required region
B.Use a multi-region configuration but restrict access to only one region
C.Use a single-region configuration in the required region
D.Use a dual-region configuration
AnswerC

Single-region configuration keeps all replicas within one region, satisfying data residency.

Why this answer

Cloud Spanner allows you to choose specific regions for your instance, and replicas are placed only within that region. Multi-region configurations span multiple geographic areas and would violate the data residency requirement. Therefore, a single-region configuration is required.

664
MCQhard

A traditional bank is considering adopting open banking — exposing its financial data and transaction capabilities as APIs to third-party developers (with customer consent). This enables FinTech startups to build new financial products on top of the bank's infrastructure. What cloud capability is most essential to safely and scalably implement open banking?

A.A large data warehouse (BigQuery) to store all transaction data for developer access.
B.A managed API platform (like Apigee) that provides authentication, rate limiting, developer portal, and usage monitoring for third-party API consumers.
C.A dedicated cloud region in each country where the bank operates to minimize latency for API consumers.
D.A blockchain infrastructure to create an immutable record of all API transactions.
AnswerB

Apigee or similar API management platforms handle the controlled external exposure: OAuth/OIDC consent flows, per-developer quotas, usage analytics, and a developer portal — essential for open banking.

Why this answer

Option B is correct because open banking requires secure, scalable, and controlled exposure of APIs to third-party developers. A managed API platform like Apigee provides essential capabilities such as OAuth 2.0 authentication, rate limiting, developer portal, and usage monitoring, which are critical for ensuring safe and scalable API consumption. Without these controls, the bank cannot enforce security policies, manage access, or monitor usage effectively.

Exam trap

Google Cloud often tests the misconception that open banking is primarily about data storage or latency, when in fact the critical challenge is secure, scalable API management with authentication and rate limiting.

How to eliminate wrong answers

Option A is wrong because a data warehouse like BigQuery is designed for analytical queries on large datasets, not for real-time API exposure or access control; storing transaction data directly for developer access would bypass security and create compliance risks. Option C is wrong because while minimizing latency is beneficial, dedicated cloud regions are not the most essential capability for open banking; the core requirement is secure API management, not geographic proximity. Option D is wrong because blockchain provides an immutable ledger but does not address the fundamental needs of API authentication, rate limiting, or developer management; it adds unnecessary complexity and does not replace an API gateway.

665
MCQmedium

A company's web application faces DDoS attacks and SQL injection attempts from the internet. They need a service that sits in front of their load balancer to block malicious traffic before it reaches their application servers. Which Google Cloud service provides this protection?

A.Cloud Firewall (VPC firewall rules)
B.Cloud Armor
C.Cloud VPN
D.Cloud Identity-Aware Proxy (IAP)
AnswerB

Cloud Armor provides DDoS protection and WAF capabilities at the load balancer edge. It can block volumetric DDoS attacks and inspect HTTP content for SQL injection, XSS, and other OWASP threats before they reach application servers.

Why this answer

Cloud Armor is Google Cloud's web application firewall (WAF) and DDoS mitigation service that operates at the edge of Google's network, in front of the load balancer. It can filter incoming traffic based on Layer 7 rules (e.g., SQL injection patterns, cross-site scripting) and Layer 3/4 conditions (e.g., IP reputation, rate limiting), blocking malicious requests before they reach the load balancer or application servers. This makes it the correct choice for protecting against both DDoS attacks and SQL injection attempts at the network perimeter.

Exam trap

The trap here is that candidates confuse Cloud Armor (a WAF/DDoS protection service) with VPC firewall rules (Cloud Firewall), which only provide stateful packet filtering at the network layer and cannot inspect application-layer attacks like SQL injection.

How to eliminate wrong answers

Option A is wrong because Cloud Firewall (VPC firewall rules) operates at Layer 3/4 within the VPC network, not in front of the load balancer, and cannot inspect application-layer payloads like SQL injection patterns. Option C is wrong because Cloud VPN is a secure tunnel for connecting on-premises networks to Google Cloud, not a security service for filtering internet traffic or blocking web attacks. Option D is wrong because Cloud Identity-Aware Proxy (IAP) controls access to applications based on user identity and context (e.g., OAuth, SSO), not by inspecting traffic for malicious payloads or volumetric DDoS attacks.

666
MCQhard

An architect is evaluating whether to use a relational database or a NoSQL database for a new application that must store product catalog data. Products have highly variable attributes — a book has ISBN, author, and genre; a bicycle has frame size, wheel diameter, and material. Which database characteristic makes NoSQL document databases advantageous for this use case?

A.NoSQL databases always provide faster query performance than relational databases for all use cases
B.NoSQL document databases support flexible schemas where each document can have different fields — making them well-suited for product catalogs where different product types have different attributes
C.NoSQL databases support ACID transactions better than relational databases, making them safer for product catalog updates
D.NoSQL databases are simpler to query because they don't require learning SQL
AnswerB

Schema flexibility is the key advantage here. In a relational table, all rows share the same columns — a shared schema requires either many NULL columns (one per possible attribute across all product types) or complex entity-attribute-value designs. Document databases store each product as a flexible JSON document, accommodating variable attributes naturally without schema changes.

Why this answer

NoSQL document databases, such as MongoDB, store data in flexible, schema-less documents (often JSON or BSON). This allows each document to have a different set of fields, making them ideal for product catalogs where a book and a bicycle have entirely different attributes (e.g., ISBN vs. frame size). Relational databases require a predefined schema with fixed columns, forcing you to either create many sparse columns or use complex join tables to handle variable attributes.

Exam trap

Google Cloud often tests the misconception that NoSQL is always faster or simpler than SQL, but the real advantage here is schema flexibility, not performance or ease of querying.

How to eliminate wrong answers

Option A is wrong because NoSQL databases do not always provide faster query performance; relational databases can be faster for complex joins and aggregations, and performance depends on the specific use case and indexing. Option C is wrong because NoSQL databases typically relax ACID guarantees (e.g., eventual consistency) to achieve scalability, while relational databases offer stronger ACID transactions, making them safer for critical updates. Option D is wrong because NoSQL databases often require learning their own query languages or APIs (e.g., MongoDB's aggregation pipeline), and SQL is a standardized, widely understood language; the simplicity of querying depends on the task, not the database type.

667
Drag & Dropmedium

Drag and drop the steps to set up a Cloud Storage bucket with uniform bucket-level access into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The process begins with accessing Cloud Storage, then creating a bucket, naming it, selecting storage settings, and enabling uniform access control.

668
MCQeasy

A startup needs to migrate an on-premises web application to the cloud with minimal operational overhead. The application runs on a custom runtime that is difficult to containerize. The team wants to focus only on code, not infrastructure management. Which Google Cloud service is MOST appropriate?

A.Compute Engine
B.Google Kubernetes Engine (GKE)
C.App Engine
D.Cloud Run
AnswerC

App Engine is a PaaS that manages the runtime, letting developers focus solely on code.

Why this answer

App Engine is a PaaS offering that fully manages the runtime environment, allowing developers to deploy code without managing servers or containers. Cloud Run requires containerization, Compute Engine is IaaS (more overhead), and GKE requires managing Kubernetes clusters.

669
MCQhard

A company's cloud architect explains that their new system uses 'eventual consistency' for some data operations. A business stakeholder asks why the system won't always show the most up-to-date data immediately. What is the trade-off being made?

A.Eventual consistency is a bug — the system should be fixed to always show current data.
B.Eventual consistency trades immediate data accuracy for higher availability and better performance — all nodes will converge to the same value, just not instantaneously.
C.Eventual consistency means data is eventually deleted, which reduces storage costs.
D.Eventual consistency only applies to deleted data — new data always appears immediately.
AnswerB

In eventually consistent systems, writes propagate asynchronously. All replicas converge to the same value within a short time window. This enables higher throughput and availability than strong consistency, which requires synchronous coordination across all nodes.

Why this answer

Option B is correct because eventual consistency is a deliberate design choice in distributed systems (such as those using Amazon DynamoDB or Apache Cassandra) where the system prioritizes high availability and low-latency reads/writes over immediate consistency. Under the hood, data updates propagate asynchronously to replicas, and all nodes will eventually converge to the same value via mechanisms like gossip protocols or vector clocks, but there is a window where stale data may be returned. This trade-off is fundamental to the CAP theorem, which states that in a distributed data store, you can only guarantee two of Consistency, Availability, and Partition Tolerance simultaneously.

Exam trap

Google Cloud often tests the misconception that eventual consistency is a fault or a temporary bug, when in fact it is a deliberate design trade-off to achieve high availability and partition tolerance in distributed systems.

How to eliminate wrong answers

Option A is wrong because eventual consistency is not a bug; it is a deliberate architectural trade-off defined in the CAP theorem, and fixing it to always show current data would require sacrificing availability or partition tolerance. Option C is wrong because eventual consistency does not mean data is eventually deleted; it refers to the timing of data propagation across replicas, not data retention or deletion policies. Option D is wrong because eventual consistency applies to all data operations (writes, updates, deletes), not just deleted data; new data may also not appear immediately on all nodes until the asynchronous replication completes.

670
MCQeasy

A company runs a data processing pipeline on a single Compute Engine instance in us-west1-a. The instance reads data from Cloud Storage, processes it, and writes results back to Cloud Storage. The pipeline runs once per day and takes about 6 hours. Recently, the instance has been experiencing out-of-memory errors, causing the pipeline to fail. The operations team wants a cost-effective solution that can handle varying data volumes without manual intervention. They also want to ensure the pipeline completes within the daily window. What should they do?

A.Use a managed instance group with autoscaling based on CPU utilization.
B.Redesign the pipeline to run on Cloud Dataflow and use batch mode with autoscaling.
C.Redesign the pipeline to run on Cloud Dataflow and use streaming mode.
D.Increase the memory of the existing instance to a larger machine type.
AnswerB

Batch mode with autoscaling handles variable volumes and is cost-effective.

Why this answer

Option C is correct because redesigning the pipeline to use Cloud Dataflow batch mode with autoscaling automatically handles varying data volumes and scales resources as needed, ensuring completion within the daily window and being cost-effective (only paying for resources used). Option A is incorrect because increasing memory does not address scalability across variable data volumes and may not be cost-effective. Option B is incorrect because managed instance groups with CPU autoscaling are not designed for batch jobs; they would not scale properly for a single long-running job.

Option D is incorrect because Dataflow streaming mode is for continuous processing, not daily batch.

671
MCQmedium

An organization wants to enforce that all data stored in Cloud Storage buckets is encrypted with a key that they control and rotate periodically. They also need to audit key usage. Which approach should they take?

A.Use Customer-Supplied Encryption Keys (CSEK)
B.Use Customer-Managed Encryption Keys (CMEK) with Cloud KMS
C.Use default Google-managed encryption keys
D.Use Cloud External Key Manager (Cloud EKM)
AnswerB

CMEK allows customers to manage keys in Cloud KMS, rotate them, and audit usage.

Why this answer

Customer-Managed Encryption Keys (CMEK) via Cloud KMS allow customers to control and rotate keys and audit usage via Cloud Audit Logs.

672
Multi-Selectmedium

A company stores sensitive data in Cloud Storage. They want to restrict access to only users from the company's corporate network (IP range 203.0.113.0/24) and ensure data is encrypted at rest using a customer-managed key. Which TWO configurations are required? (Select 2)

Select 2 answers
A.Configure Cloud Armor with IP allowlist
B.Enable VPC Service Controls
C.Set a bucket policy with an IP address condition
D.Configure Cloud NAT
E.Use Cloud KMS to create and manage a key for CMEK
AnswersC, E

Using IAM conditions, you can restrict access to requests originating from the corporate IP range.

Why this answer

Cloud Storage bucket-level access control with IP-based conditions can restrict access to a specific IP range. CMEK requires Cloud KMS to create and manage the key. Cloud Armor is for HTTP(S) load balancing, not Cloud Storage.

VPC Service Controls provide perimeter security but are not IP-based. Cloud NAT is for outbound connectivity.

673
MCQeasy

A cloud architect wants to ensure that only certain users in the finance team can access a Cloud Storage bucket containing invoices. They also want to log all access attempts. Which two services should they use?

A.IAM and Cloud Audit Logs
B.Cloud NAT and Cloud Audit Logs
C.Cloud NAT and Cloud Load Balancing
D.IAM and Cloud CDN
AnswerA

IAM controls access; Cloud Audit Logs provide data access logging.

Why this answer

IAM (Identity and Access Management) is used to grant specific users (e.g., finance team members) granular access to the Cloud Storage bucket via roles like roles/storage.objectViewer. Cloud Audit Logs (specifically Admin Activity and Data Access audit logs) capture all access attempts, including who accessed the bucket, when, and from which IP address, meeting the logging requirement.

Exam trap

Google Cloud often tests the distinction between network-level services (like Cloud NAT, Cloud Load Balancing, Cloud CDN) and identity/audit services (IAM, Cloud Audit Logs), so candidates mistakenly choose networking options when the question explicitly asks about user access control and logging.

How to eliminate wrong answers

Option B is wrong because Cloud NAT (Network Address Translation) is used to enable outbound internet connectivity for private instances, not for controlling user access to Cloud Storage or logging access attempts. Option C is wrong because Cloud NAT and Cloud Load Balancing are networking services that do not provide identity-based access control or audit logging for Cloud Storage. Option D is wrong because Cloud CDN (Content Delivery Network) is used to cache content for low-latency delivery, not to restrict access to a bucket based on user identity or to log access attempts.

674
MCQmedium

A financial services company is subject to regulations requiring them to demonstrate that their cloud provider's employees cannot access customer data without the customer's explicit approval. Which Google Cloud feature most directly addresses this requirement?

A.Customer-Managed Encryption Keys (CMEK), where the customer controls the encryption key and can revoke access
B.Access Transparency and Access Approval, which log and require explicit customer approval for Google personnel access to customer content
C.Cloud Audit Logs, which record all customer actions within Google Cloud
D.VPC Service Controls, which prevent Google employees from accessing resources inside the service perimeter
AnswerB

Access Transparency logs all Google personnel access to customer content with justification codes. Access Approval requires Google to request explicit customer approval before accessing customer data. Together they directly address the regulatory requirement for customer oversight of provider access to their data.

Why this answer

Access Transparency and Access Approval directly address the regulatory requirement by providing near real-time logs of Google personnel actions on customer content and requiring explicit customer approval before such access can occur. Access Transparency logs every access attempt by Google employees, while Access Approval allows customers to approve or deny those requests, ensuring no unauthorized access without customer consent.

Exam trap

The GCDL exam often tests the distinction between encryption key control (CMEK) and access governance (Access Transparency/Approval), leading candidates to mistakenly choose CMEK because they conflate key management with personnel access control.

How to eliminate wrong answers

Option A is wrong because Customer-Managed Encryption Keys (CMEK) give customers control over encryption keys but do not log or require approval for Google personnel access to customer content; they protect data at rest but do not govern access by Google employees. Option C is wrong because Cloud Audit Logs record actions taken by customers within their own projects, not actions by Google personnel accessing customer content. Option D is wrong because VPC Service Controls create a security perimeter to prevent data exfiltration by customers or their resources, but they do not prevent Google employees from accessing resources inside the perimeter; they are designed to control data movement, not Google personnel access.

675
MCQmedium

A data engineer needs to process streaming clickstream data in real-time, apply transformations, and write the output to BigQuery. Which Google Cloud service is built for this use case?

A.Cloud Dataproc
B.Cloud Dataflow
C.Cloud Pub/Sub
D.Cloud Functions
AnswerB

Dataflow is designed for stream processing with built-in BigQuery I/O.

Why this answer

Dataflow is a managed stream and batch processing service perfect for real-time transformations and writing to BigQuery. Pub/Sub is for ingestion, Dataproc for Spark, and Cloud Functions for simple event-driven code.

Page 8

Page 9 of 14

Page 10