Sample questions
Google Cloud Digital Leader practice questions
A DevOps team wants to adopt GitOps practices for managing their Google Cloud infrastructure. Which combination of tools and practices defines a GitOps approach to cloud infrastructure management?
Trap 1: Manually applying Terraform changes from engineers' local machines…
Manual local applies with wiki documentation is not GitOps. There's no single source of truth (different engineers may have different local state), no automated reconciliation, and documentation diverges from actual state over time.
Trap 2: Using the Google Cloud Console to make infrastructure changes and…
Post-hoc export to Git is backwards GitOps — Git becomes a documentation store rather than the source of truth. Console changes that aren't reviewed via PR bypass governance controls.
Trap 3: GitOps only applies to application code deployment, not to cloud…
GitOps originated in application deployment but has been widely adopted for infrastructure management (infrastructure as code via Terraform, Pulumi, or Kubernetes-native Config Connector). It applies equally to both.
- A
Manually applying Terraform changes from engineers' local machines and documenting changes in a shared wiki
Why wrong: Manual local applies with wiki documentation is not GitOps. There's no single source of truth (different engineers may have different local state), no automated reconciliation, and documentation diverges from actual state over time.
- B
Storing all infrastructure as code (Terraform or Config Connector) in a Git repository, using pull requests for all changes, and automated CI/CD pipelines that apply changes and detect drift from the declared state
This is GitOps. Git repo as truth: ✓. Pull request process for changes: ✓ (provides review, approval, audit trail). Automated reconciliation: ✓ (CI/CD applies changes and detects drift). This pattern makes infrastructure management reproducible, auditable, and collaborative.
- C
Using the Google Cloud Console to make infrastructure changes and exporting the configuration to Git after each change
Why wrong: Post-hoc export to Git is backwards GitOps — Git becomes a documentation store rather than the source of truth. Console changes that aren't reviewed via PR bypass governance controls.
- D
GitOps only applies to application code deployment, not to cloud infrastructure management
Why wrong: GitOps originated in application deployment but has been widely adopted for infrastructure management (infrastructure as code via Terraform, Pulumi, or Kubernetes-native Config Connector). It applies equally to both.
A startup is building an application that sends daily promotional push notifications to millions of mobile users on both iOS and Android devices. Which Google Cloud or Google service most directly provides the infrastructure for sending these mobile push notifications?
Trap 1: Cloud Pub/Sub, which delivers messages to subscribed mobile…
Cloud Pub/Sub is a server-to-server messaging system. Mobile devices are not Pub/Sub subscribers — they use platform-specific push notification infrastructure (FCM, APNs). Pub/Sub could trigger a backend service that then sends via FCM, but Pub/Sub alone doesn't deliver to mobile devices.
Trap 2: Cloud Storage, by writing notification content to buckets that…
Polling Cloud Storage for notifications would require mobile apps to make constant API requests, draining battery and creating high latency. Push notifications are delivered to devices by the platform (FCM/APNs), not pulled by apps.
Trap 3: Cloud Run, by exposing an API that mobile applications call to…
Pull-based notification APIs require mobile apps to poll for messages, which is inefficient. FCM's push model delivers notifications to devices without the app needing to poll — even when the app is not active in the foreground.
- A
Cloud Pub/Sub, which delivers messages to subscribed mobile application instances
Why wrong: Cloud Pub/Sub is a server-to-server messaging system. Mobile devices are not Pub/Sub subscribers — they use platform-specific push notification infrastructure (FCM, APNs). Pub/Sub could trigger a backend service that then sends via FCM, but Pub/Sub alone doesn't deliver to mobile devices.
- B
Firebase Cloud Messaging (FCM), which delivers push notifications to iOS and Android devices through Google's mobile notification infrastructure
FCM is the correct service. It provides the complete push notification pipeline: device token management, message composition, cross-platform delivery (Android via FCM protocol, iOS via APNs), delivery analytics, and topic-based message broadcasting for millions of subscribers. It's the standard Google/Firebase solution for mobile push notifications.
- C
Cloud Storage, by writing notification content to buckets that mobile applications poll for new messages
Why wrong: Polling Cloud Storage for notifications would require mobile apps to make constant API requests, draining battery and creating high latency. Push notifications are delivered to devices by the platform (FCM/APNs), not pulled by apps.
- D
Cloud Run, by exposing an API that mobile applications call to retrieve their pending notifications
Why wrong: Pull-based notification APIs require mobile apps to poll for messages, which is inefficient. FCM's push model delivers notifications to devices without the app needing to poll — even when the app is not active in the foreground.
A digital media company hosts video content globally. They want to reduce origin server load and deliver content faster to viewers worldwide. Their current architecture routes all viewer requests directly to the origin servers in `us-central1`, causing high latency for viewers in Asia and Europe. Which Google Cloud networking capability addresses this?
Trap 1: Deploy identical origin servers in every Google Cloud region…
Replicating full origin servers in every region is operationally expensive and complex to synchronize. CDN achieves the same performance benefit by caching at edge PoPs without full origin replication.
Trap 2: Use Cloud VPN to route viewer traffic through a direct tunnel to…
VPN creates encrypted tunnels between networks — it doesn't cache content or improve CDN-style performance. VPN adds overhead rather than reducing latency.
Trap 3: Increase the origin servers' network bandwidth to handle more…
More bandwidth on the origin doesn't reduce geographic latency for distant viewers. CDN fundamentally solves the distance problem by moving content closer to users.
- A
Deploy identical origin servers in every Google Cloud region globally.
Why wrong: Replicating full origin servers in every region is operationally expensive and complex to synchronize. CDN achieves the same performance benefit by caching at edge PoPs without full origin replication.
- B
Enable Cloud CDN to cache video content at Google's global edge PoPs, serving viewers from the nearest location.
Cloud CDN caches video content at edge PoPs globally. Asian viewers receive content from nearby PoPs (not us-central1), reducing latency significantly and offloading origin servers.
- C
Use Cloud VPN to route viewer traffic through a direct tunnel to the origin servers.
Why wrong: VPN creates encrypted tunnels between networks — it doesn't cache content or improve CDN-style performance. VPN adds overhead rather than reducing latency.
- D
Increase the origin servers' network bandwidth to handle more simultaneous viewer connections.
Why wrong: More bandwidth on the origin doesn't reduce geographic latency for distant viewers. CDN fundamentally solves the distance problem by moving content closer to users.
A development team uses Cloud Build to automatically build, test, and create container images whenever code is pushed to their repository. The resulting Docker images need to be stored securely and made available to their GKE deployment pipelines. Which Google Cloud service stores and manages these container images?
Trap 1: Cloud Storage bucket with a `containers/` folder.
Docker images cannot be stored in Cloud Storage as plain files — they use a specific registry protocol (OCI/Docker). Artifact Registry implements the required container registry API.
Trap 2: Cloud SQL — storing build artifacts in a relational database.
Cloud SQL is a relational database for structured data. Container images are binary artifacts stored in a registry service like Artifact Registry, not a database.
Trap 3: Cloud Source Repositories — the code repository stores both source…
Cloud Source Repositories is a Git-based source code repository. Container images (built artifacts) are stored in Artifact Registry, not source code repositories.
- A
Cloud Storage bucket with a `containers/` folder.
Why wrong: Docker images cannot be stored in Cloud Storage as plain files — they use a specific registry protocol (OCI/Docker). Artifact Registry implements the required container registry API.
- B
Artifact Registry
Artifact Registry stores Docker images, Helm charts, and other build artifacts. Cloud Build pushes images here; GKE and Cloud Run pull from here during deployment. It also performs vulnerability scanning.
- C
Cloud SQL — storing build artifacts in a relational database.
Why wrong: Cloud SQL is a relational database for structured data. Container images are binary artifacts stored in a registry service like Artifact Registry, not a database.
- D
Cloud Source Repositories — the code repository stores both source code and container images.
Why wrong: Cloud Source Repositories is a Git-based source code repository. Container images (built artifacts) are stored in Artifact Registry, not source code repositories.
A startup wants to launch a new product globally within 2 weeks. If it relied on traditional on-premises infrastructure, provisioning servers would take 6–8 weeks. By using the public cloud, the startup can launch on time. Which cloud benefit does this scenario illustrate?
Trap 1: Economies of scale — the cloud provider has more purchasing power…
Economies of scale is a cloud benefit, but it relates to cost efficiency, not speed of deployment. The scenario specifically highlights the speed advantage.
Trap 2: Geographic reach — the cloud provider has data centers in more…
Geographic reach is relevant to global availability but the primary benefit illustrated here is the speed of provisioning, not the number of available regions.
Trap 3: Reliability — cloud providers have better uptime SLAs than…
Reliability (SLAs) is a cloud benefit but doesn't explain why the startup can launch in 2 weeks instead of 6–8 weeks.
- A
Economies of scale — the cloud provider has more purchasing power than the startup.
Why wrong: Economies of scale is a cloud benefit, but it relates to cost efficiency, not speed of deployment. The scenario specifically highlights the speed advantage.
- B
Speed and agility — cloud resources are provisioned in minutes, enabling faster time-to-market.
Cloud's on-demand provisioning eliminates the 6–8 week hardware procurement cycle, allowing the startup to go from idea to global deployment in days.
- C
Geographic reach — the cloud provider has data centers in more regions.
Why wrong: Geographic reach is relevant to global availability but the primary benefit illustrated here is the speed of provisioning, not the number of available regions.
- D
Reliability — cloud providers have better uptime SLAs than on-premises servers.
Why wrong: Reliability (SLAs) is a cloud benefit but doesn't explain why the startup can launch in 2 weeks instead of 6–8 weeks.
A company stores its data in Google Cloud. The security team asks: can Google employees access our customer data without our knowledge or consent? What does Google's commitment ensure?
Trap 1: Google employees have unrestricted access to all customer data as…
Google explicitly limits and logs personnel access to customer data. Access is tightly controlled, needs business justification, and is logged in Access Transparency.
Trap 2: Google uses customer data to train its global AI models to improve…
Google contractually commits that it does not use customer data to train AI models or for advertising. Customer data belongs to the customer.
Trap 3: Customer data stored in Google Cloud is automatically accessible by…
Government access requires legal process (court orders, etc.). Google has a government transparency report and commits to challenging overbroad requests. Data is not 'automatically accessible' by governments.
- A
Google employees have unrestricted access to all customer data as part of the infrastructure service agreement.
Why wrong: Google explicitly limits and logs personnel access to customer data. Access is tightly controlled, needs business justification, and is logged in Access Transparency.
- B
Google commits that customer data is not accessed without authorization, with access logged via Access Transparency and governed by contractual data processing commitments.
Google's contractual commitments (Cloud Data Processing Addendum), Access Transparency logging, and technical controls ensure customer data is only accessed for authorized purposes, with full auditability.
- C
Google uses customer data to train its global AI models to improve services.
Why wrong: Google contractually commits that it does not use customer data to train AI models or for advertising. Customer data belongs to the customer.
- D
Customer data stored in Google Cloud is automatically accessible by government agencies on request.
Why wrong: Government access requires legal process (court orders, etc.). Google has a government transparency report and commits to challenging overbroad requests. Data is not 'automatically accessible' by governments.
A global fintech company needs a database that can handle financial transactions across 50+ countries with consistent, ACID-compliant operations, SQL queries, and automatic global replication with no downtime for maintenance. Which Google Cloud database service meets all these requirements?
Trap 1: Cloud SQL (PostgreSQL)
Cloud SQL is a regional database — it doesn't automatically replicate globally. Cross-region failover is supported but not automatic global distribution with consistent transactions.
Trap 2: Cloud Bigtable
Bigtable is a NoSQL database (key-value) optimized for high-throughput non-transactional workloads. It doesn't support ACID transactions or SQL queries.
Trap 3: Firestore
Firestore supports ACID transactions and global distribution but is a NoSQL document database — it lacks full SQL query capabilities required for financial reporting and complex joins.
- A
Cloud SQL (PostgreSQL)
Why wrong: Cloud SQL is a regional database — it doesn't automatically replicate globally. Cross-region failover is supported but not automatic global distribution with consistent transactions.
- B
Cloud Spanner
Cloud Spanner provides ACID transactions, SQL support, and automatic global replication across multiple regions with 99.999% availability. It's designed for exactly this global financial transaction use case.
- C
Cloud Bigtable
Why wrong: Bigtable is a NoSQL database (key-value) optimized for high-throughput non-transactional workloads. It doesn't support ACID transactions or SQL queries.
- D
Firestore
Why wrong: Firestore supports ACID transactions and global distribution but is a NoSQL document database — it lacks full SQL query capabilities required for financial reporting and complex joins.
A company runs a customer-facing web application with a published SLA of 99.95% monthly availability. In the past month, the application experienced two outages: a 12-minute outage and a 7-minute outage. Did the company meet its SLA?
Trap 1: No — the company missed the SLA because any outage automatically…
SLAs define a specific downtime budget, not a zero-outage requirement. 99.95% allows 21.6 minutes of downtime per 30-day month. Having two outages that total less than this threshold does not breach the SLA.
Trap 2: The answer cannot be determined without knowing the cause of the…
SLA compliance is calculated from duration of unavailability, not cause. The cause of outages is relevant for root cause analysis and prevention, but SLA mathematics only requires total downtime duration.
Trap 3: No — two separate outages in one month always constitute an SLA…
SLAs are calculated on cumulative downtime duration within the measurement period, not on the number of incidents. Multiple short outages that cumulatively fall within the allowed downtime budget do not breach the SLA.
- A
No — the company missed the SLA because any outage automatically constitutes an SLA breach
Why wrong: SLAs define a specific downtime budget, not a zero-outage requirement. 99.95% allows 21.6 minutes of downtime per 30-day month. Having two outages that total less than this threshold does not breach the SLA.
- B
Yes — 99.95% availability in a 30-day month allows approximately 21.6 minutes of downtime; total outage of 19 minutes is within the budget, meaning the SLA was met
The math confirms the SLA was met. 30 days × 1,440 minutes = 43,200 minutes. 0.05% × 43,200 = 21.6 minutes allowed. 12 + 7 = 19 minutes actual downtime. 19 < 21.6, so the SLA is met. However, the remaining buffer is only 2.6 minutes — the team should treat this as a reliability concern.
- C
The answer cannot be determined without knowing the cause of the outages
Why wrong: SLA compliance is calculated from duration of unavailability, not cause. The cause of outages is relevant for root cause analysis and prevention, but SLA mathematics only requires total downtime duration.
- D
No — two separate outages in one month always constitute an SLA breach regardless of duration
Why wrong: SLAs are calculated on cumulative downtime duration within the measurement period, not on the number of incidents. Multiple short outages that cumulatively fall within the allowed downtime budget do not breach the SLA.
A hospital runs a patient records system that must remain on-premises due to strict regulatory data residency requirements. However, they also want to use cloud-based AI for diagnostic imaging analysis. Which cloud deployment model best describes their architecture?
Trap 1: Public cloud — all workloads run in a provider's infrastructure.
Public cloud means all resources are in the cloud provider's infrastructure. The hospital specifically keeps patient records on-premises, so this is not a pure public cloud model.
Trap 2: Private cloud — all workloads run in the hospital's own…
Private cloud means all computing happens in the hospital's owned/managed infrastructure. Using Google Cloud's AI services makes this a hybrid, not a pure private cloud.
Trap 3: Multi-cloud — using multiple public cloud providers simultaneously.
Multi-cloud refers to using multiple different public cloud providers (e.g., both Google Cloud and AWS). This scenario is on-premises + one cloud provider — hybrid, not multi-cloud.
- A
Public cloud — all workloads run in a provider's infrastructure.
Why wrong: Public cloud means all resources are in the cloud provider's infrastructure. The hospital specifically keeps patient records on-premises, so this is not a pure public cloud model.
- B
Private cloud — all workloads run in the hospital's own infrastructure.
Why wrong: Private cloud means all computing happens in the hospital's owned/managed infrastructure. Using Google Cloud's AI services makes this a hybrid, not a pure private cloud.
- C
Hybrid cloud — combining on-premises infrastructure with public cloud services.
Hybrid cloud connects on-premises (patient records, regulatory compliance) with public cloud (AI imaging analysis). This is the textbook hybrid cloud pattern for regulated industries.
- D
Multi-cloud — using multiple public cloud providers simultaneously.
Why wrong: Multi-cloud refers to using multiple different public cloud providers (e.g., both Google Cloud and AWS). This scenario is on-premises + one cloud provider — hybrid, not multi-cloud.
Which term describes the model where the cloud provider is responsible for the security of the cloud infrastructure, while the customer is responsible for security within their own cloud environment (data, applications, access management)?
Trap 1: Zero trust security model
Zero trust is a security philosophy ('never trust, always verify') applied to network access design. It is different from the shared responsibility model, which describes the division of security duties between provider and customer.
Trap 2: Defense in depth strategy
Defense in depth is a security approach using multiple layers of controls. While related to good security practice, it's not the name for the provider/customer responsibility division.
Trap 3: Identity federation model
Identity federation enables using an external identity provider for authentication (SSO). It's a specific security feature, not the framework describing provider vs. customer responsibilities.
- A
Zero trust security model
Why wrong: Zero trust is a security philosophy ('never trust, always verify') applied to network access design. It is different from the shared responsibility model, which describes the division of security duties between provider and customer.
- B
Shared responsibility model
The shared responsibility model defines that Google Cloud secures the infrastructure ('security of the cloud') while customers secure their data and applications ('security in the cloud').
- C
Defense in depth strategy
Why wrong: Defense in depth is a security approach using multiple layers of controls. While related to good security practice, it's not the name for the provider/customer responsibility division.
- D
Identity federation model
Why wrong: Identity federation enables using an external identity provider for authentication (SSO). It's a specific security feature, not the framework describing provider vs. customer responsibilities.
A business intelligence team wants to create interactive dashboards and reports from their BigQuery data without writing code. They need to share reports with stakeholders who don't have GCP accounts. Which Google Cloud tool is most appropriate?
Trap 1: Vertex AI Workbench
Vertex AI Workbench is a managed Jupyter notebook environment for data scientists writing ML/Python code. It's not a BI dashboarding tool for non-technical stakeholders.
Trap 2: Cloud Dataprep by Trifacta
Cloud Dataprep is a visual data preparation and cleaning tool — used to transform data before analysis. It's not a dashboarding or report-sharing tool.
Trap 3: BigQuery Studio
BigQuery Studio provides an integrated SQL and notebook environment for data analysts in GCP — not a shareable dashboard tool for non-technical stakeholders.
- A
Vertex AI Workbench
Why wrong: Vertex AI Workbench is a managed Jupyter notebook environment for data scientists writing ML/Python code. It's not a BI dashboarding tool for non-technical stakeholders.
- B
Looker Studio (formerly Data Studio)
Looker Studio is Google's free BI dashboarding tool with native BigQuery integration. Reports can be shared via link with stakeholders who have no GCP accounts.
- C
Cloud Dataprep by Trifacta
Why wrong: Cloud Dataprep is a visual data preparation and cleaning tool — used to transform data before analysis. It's not a dashboarding or report-sharing tool.
- D
BigQuery Studio
Why wrong: BigQuery Studio provides an integrated SQL and notebook environment for data analysts in GCP — not a shareable dashboard tool for non-technical stakeholders.
A media company currently licenses proprietary software for video editing that costs $50,000 per seat annually. They are considering a cloud-based SaaS alternative at $5,000 per seat annually. Beyond the licensing cost, which additional financial benefits should they consider when calculating total cost of ownership (TCO)?
Trap 1: Only the licensing cost difference ($45,000 per seat) matters for…
Licensing cost is one component. Full TCO includes hardware, IT staff, maintenance, facilities, and upgrade costs for on-premises — often significantly higher than the visible licensing fee.
Trap 2: The SaaS option has an internet dependency risk that may cost more…
Internet dependency is a valid consideration but is a risk factor, not a TCO financial component. Most businesses already depend on reliable internet for cloud productivity tools.
Trap 3: The vendor's market capitalization, since larger companies are more…
Vendor financial stability is a procurement risk consideration, not a TCO financial calculation component.
- A
Only the licensing cost difference ($45,000 per seat) matters for the financial comparison.
Why wrong: Licensing cost is one component. Full TCO includes hardware, IT staff, maintenance, facilities, and upgrade costs for on-premises — often significantly higher than the visible licensing fee.
- B
Eliminated hardware costs, reduced IT maintenance staff, no upgrade cycles, and freed facilities costs — all lowering the true on-premises TCO that should be compared against the SaaS subscription.
On-premises TCO includes hardware procurement/refresh, IT admin staff, software maintenance, facilities (power, cooling, space), and upgrade projects. Eliminating these hidden costs makes the SaaS TCO comparison far more favorable.
- C
The SaaS option has an internet dependency risk that may cost more than the savings.
Why wrong: Internet dependency is a valid consideration but is a risk factor, not a TCO financial component. Most businesses already depend on reliable internet for cloud productivity tools.
- D
The vendor's market capitalization, since larger companies are more financially stable.
Why wrong: Vendor financial stability is a procurement risk consideration, not a TCO financial calculation component.
According to the NIST definition of cloud computing, which characteristic allows users to unilaterally provision computing resources such as server time and network storage without requiring human interaction with the service provider?
Trap 1: Broad network access
Broad network access means capabilities are available over the network via standard mechanisms (internet) accessible from various devices. It describes accessibility, not self-provisioning.
Trap 2: Resource pooling
Resource pooling describes the provider's multi-tenant model where physical resources are shared among many customers. It relates to the provider's infrastructure model, not user provisioning capability.
Trap 3: Measured service
Measured service refers to monitoring and metering resource usage for billing and transparency purposes. It describes how consumption is tracked, not how resources are provisioned.
- A
Broad network access
Why wrong: Broad network access means capabilities are available over the network via standard mechanisms (internet) accessible from various devices. It describes accessibility, not self-provisioning.
- B
On-demand self-service
On-demand self-service allows users to provision resources (compute, storage) automatically through a portal or API without human interaction with the provider — core to the cloud experience.
- C
Resource pooling
Why wrong: Resource pooling describes the provider's multi-tenant model where physical resources are shared among many customers. It relates to the provider's infrastructure model, not user provisioning capability.
- D
Measured service
Why wrong: Measured service refers to monitoring and metering resource usage for billing and transparency purposes. It describes how consumption is tracked, not how resources are provisioned.
A company uses two different public cloud providers (AWS for their North American operations and Google Cloud for their European operations) to meet data residency requirements and avoid vendor lock-in. Which deployment model does this represent?
Trap 1: Hybrid cloud
Hybrid cloud combines on-premises infrastructure with public cloud. Using two different public cloud providers (AWS + Google Cloud) is multi-cloud, not hybrid — there's no on-premises component described.
Trap 2: Multi-region
Multi-region typically describes using multiple geographic regions within the same cloud provider. Using two different providers (AWS and Google) is multi-cloud.
Trap 3: Distributed cloud
Distributed cloud extends a public cloud provider's services to edge locations or customer premises — a specific architecture, not the multi-provider strategy described.
- A
Hybrid cloud
Why wrong: Hybrid cloud combines on-premises infrastructure with public cloud. Using two different public cloud providers (AWS + Google Cloud) is multi-cloud, not hybrid — there's no on-premises component described.
- B
Multi-cloud
Multi-cloud is the deliberate use of two or more different public cloud providers. Using AWS for North America and Google Cloud for Europe is a classic multi-cloud strategy.
- C
Multi-region
Why wrong: Multi-region typically describes using multiple geographic regions within the same cloud provider. Using two different providers (AWS and Google) is multi-cloud.
- D
Distributed cloud
Why wrong: Distributed cloud extends a public cloud provider's services to edge locations or customer premises — a specific architecture, not the multi-provider strategy described.
A retail company wants to build a recommendation engine that suggests products to customers based on their browsing history. The team has ML expertise but wants to use Google's pre-built ML infrastructure to train and deploy models at scale without managing compute resources. Which Google Cloud service should they use?
Trap 1: BigQuery ML
BigQuery ML allows training ML models using SQL queries within BigQuery — useful for analysts but limited in the types of models and features. Vertex AI is a complete MLOps platform for more complex model training.
Trap 2: Cloud AI Platform Notebooks (now Vertex AI Workbench)
Vertex AI Workbench provides managed Jupyter notebook environments for ML development — it's an IDE for data scientists, not the full managed training and serving pipeline.
Trap 3: Cloud Dataflow
Dataflow is a managed stream and batch data processing service (Apache Beam), not an ML platform. It's used for ETL and data pipeline work, not model training.
- A
BigQuery ML
Why wrong: BigQuery ML allows training ML models using SQL queries within BigQuery — useful for analysts but limited in the types of models and features. Vertex AI is a complete MLOps platform for more complex model training.
- B
Vertex AI
Vertex AI is Google's unified ML platform with managed training (GPU/TPU clusters), AutoML, model registry, feature store, and serving endpoints. Teams bring ML expertise; Vertex AI handles infrastructure.
- C
Cloud AI Platform Notebooks (now Vertex AI Workbench)
Why wrong: Vertex AI Workbench provides managed Jupyter notebook environments for ML development — it's an IDE for data scientists, not the full managed training and serving pipeline.
- D
Cloud Dataflow
Why wrong: Dataflow is a managed stream and batch data processing service (Apache Beam), not an ML platform. It's used for ETL and data pipeline work, not model training.
A company needs to send messages between different microservices in a decoupled way. When one service publishes an event, multiple downstream services should receive and process it independently. Which Google Cloud service enables this publish-subscribe messaging pattern?
Trap 1: Cloud Tasks
Cloud Tasks manages task queues for asynchronous, guaranteed delivery to a single worker. It doesn't support the fan-out pattern (one message → multiple independent subscribers).
Trap 2: Cloud Scheduler
Cloud Scheduler creates cron-based scheduled jobs. It doesn't provide a messaging queue or pub-sub pattern for service-to-service communication.
Trap 3: Eventarc
Eventarc routes events from GCP services to Cloud Run and other targets — it's an event routing service built on Pub/Sub. For direct service-to-service messaging patterns, Pub/Sub is the foundational service.
- A
Cloud Tasks
Why wrong: Cloud Tasks manages task queues for asynchronous, guaranteed delivery to a single worker. It doesn't support the fan-out pattern (one message → multiple independent subscribers).
- B
Cloud Pub/Sub
Pub/Sub supports multiple subscriptions per topic, allowing many services to independently receive every published message. It's the GCP-native pub-sub messaging backbone for event-driven architectures.
- C
Cloud Scheduler
Why wrong: Cloud Scheduler creates cron-based scheduled jobs. It doesn't provide a messaging queue or pub-sub pattern for service-to-service communication.
- D
Eventarc
Why wrong: Eventarc routes events from GCP services to Cloud Run and other targets — it's an event routing service built on Pub/Sub. For direct service-to-service messaging patterns, Pub/Sub is the foundational service.
A company's web service has a Service Level Objective (SLO) of 99.9% monthly availability. In a 30-day month, how many minutes of downtime are allowed before the SLO is violated?
Trap 1: ~4.3 minutes
4.3 minutes corresponds to 99.99% (four nines) availability, not 99.9% (three nines). Three nines allows approximately 10× more downtime.
Trap 2: ~7.2 hours
7.2 hours corresponds to approximately 99% availability (two nines). 99.9% is an order of magnitude more restrictive.
Trap 3: ~8.6 hours
8.6 hours is roughly 99% availability. 99.9% availability allows only ~43 minutes of downtime per month.
- A
~4.3 minutes
Why wrong: 4.3 minutes corresponds to 99.99% (four nines) availability, not 99.9% (three nines). Three nines allows approximately 10× more downtime.
- B
~43.2 minutes
99.9% availability = 0.1% downtime. In a 30-day month (43,200 minutes), 0.1% = 43.2 minutes of allowed downtime — the classic 'three nines' error budget.
- C
~7.2 hours
Why wrong: 7.2 hours corresponds to approximately 99% availability (two nines). 99.9% is an order of magnitude more restrictive.
- D
~8.6 hours
Why wrong: 8.6 hours is roughly 99% availability. 99.9% availability allows only ~43 minutes of downtime per month.
A company's application is composed of 15 microservices. When a performance issue occurs, the team struggles to determine which service is causing latency since request traces span multiple services. Which Google Cloud service helps identify which specific service in a microservices chain is causing slowdowns?
Trap 1: Cloud Logging — search logs for error messages across all 15…
Log searching finds errors after they occur but doesn't correlate cross-service request timelines or show which service hop added latency in a distributed trace.
Trap 2: Cloud Monitoring dashboards — create per-service CPU utilization…
CPU graphs show resource utilization but don't correlate individual request flows across services or show which service contributed to a specific slow request.
Trap 3: Security Command Center — scan for misconfigurations causing…
SCC identifies security findings and misconfigurations, not application performance issues or distributed request tracing.
- A
Cloud Logging — search logs for error messages across all 15 services.
Why wrong: Log searching finds errors after they occur but doesn't correlate cross-service request timelines or show which service hop added latency in a distributed trace.
- B
Cloud Trace — captures distributed request traces showing end-to-end latency across all microservices.
Cloud Trace shows the complete request journey: which service was called, in what order, and how long each call took. The Gantt-chart view immediately reveals the latency culprit service.
- C
Cloud Monitoring dashboards — create per-service CPU utilization graphs.
Why wrong: CPU graphs show resource utilization but don't correlate individual request flows across services or show which service contributed to a specific slow request.
- D
Security Command Center — scan for misconfigurations causing performance issues.
Why wrong: SCC identifies security findings and misconfigurations, not application performance issues or distributed request tracing.
A company is concerned about which security responsibilities belong to Google versus which belong to them when using Google Cloud's managed database service (Cloud SQL). In the shared responsibility model, which security tasks does Google handle?
Trap 1: Google controls who can access the database and what data can be…
Access control (who can connect to the database, with what permissions) is always the customer's responsibility. Google never controls customer data access policies.
Trap 2: Google is responsible for backing up customer data and ensuring…
While Cloud SQL offers managed backups (which Google operates), enabling and managing backup policies is a customer responsibility. Google provides the capability; customers configure it.
Trap 3: Google determines which compliance certifications the customer's…
Compliance requirements are determined by the customer's industry and regulatory environment. Google provides compliance certifications for its infrastructure; customers are responsible for their application-level compliance.
- A
Google controls who can access the database and what data can be stored.
Why wrong: Access control (who can connect to the database, with what permissions) is always the customer's responsibility. Google never controls customer data access policies.
- B
Google handles physical security, hardware maintenance, and OS and database software patching.
For managed services, Google manages the entire infrastructure layer: physical security, hardware, hypervisor, and service software updates. Customers manage their configuration and data.
- C
Google is responsible for backing up customer data and ensuring data recovery.
Why wrong: While Cloud SQL offers managed backups (which Google operates), enabling and managing backup policies is a customer responsibility. Google provides the capability; customers configure it.
- D
Google determines which compliance certifications the customer's application must meet.
Why wrong: Compliance requirements are determined by the customer's industry and regulatory environment. Google provides compliance certifications for its infrastructure; customers are responsible for their application-level compliance.
A SRE team wants to alert when their service is consuming error budget faster than expected, rather than alerting only when the SLO threshold is crossed. Which Cloud Monitoring alerting strategy supports this approach?
Trap 1: Threshold alerting — alert when error rate exceeds 0.1%.
Simple threshold alerting fires only when the threshold is crossed — reactive, not predictive. It doesn't account for the rate of consumption or how much budget remains.
Trap 2: Uptime check alerting — alert when health checks fail.
Uptime checks detect complete service unavailability. They don't measure SLO compliance or error budget consumption rates for partial failure scenarios.
Trap 3: Log-based alerting — alert when specific error messages appear in…
Log-based alerts detect specific event patterns in logs. They can contribute to monitoring but don't directly measure SLO burn rate.
- A
Threshold alerting — alert when error rate exceeds 0.1%.
Why wrong: Simple threshold alerting fires only when the threshold is crossed — reactive, not predictive. It doesn't account for the rate of consumption or how much budget remains.
- B
SLO burn rate alerting — alert when error budget is being consumed faster than the measurement window allows.
Burn rate alerting detects when errors are occurring at a rate that will exhaust the error budget before period end. This enables proactive response before the SLO is violated.
- C
Uptime check alerting — alert when health checks fail.
Why wrong: Uptime checks detect complete service unavailability. They don't measure SLO compliance or error budget consumption rates for partial failure scenarios.
- D
Log-based alerting — alert when specific error messages appear in logs.
Why wrong: Log-based alerts detect specific event patterns in logs. They can contribute to monitoring but don't directly measure SLO burn rate.
Google Cloud encrypts all customer data at rest by default without any configuration required. A customer asks: 'Do we need to do anything special to encrypt our data stored in Cloud Storage?' What is the correct answer?
Trap 1: Yes, customers must enable encryption in the Cloud Storage bucket…
Encryption is automatic and requires no configuration. There is no 'enable encryption' setting in Cloud Storage — all data is encrypted by default.
Trap 2: Only data in premium storage tiers is encrypted; Standard storage…
Encryption is applied to all storage tiers equally — Standard, Nearline, Coldline, and Archive are all encrypted by default.
Trap 3: Customers must purchase the Security Command Center Premium tier to…
Security Command Center is a security monitoring service; it doesn't control data encryption. Encryption is automatic and included in the base service at no additional charge.
- A
Yes, customers must enable encryption in the Cloud Storage bucket settings for each bucket.
Why wrong: Encryption is automatic and requires no configuration. There is no 'enable encryption' setting in Cloud Storage — all data is encrypted by default.
- B
No, Google Cloud encrypts all data at rest automatically using AES-256 — no configuration is needed.
All Google Cloud storage services encrypt data at rest by default with AES-256. Customers receive encryption without any setup, and can optionally use CMEK for key management control.
- C
Only data in premium storage tiers is encrypted; Standard storage requires manual encryption.
Why wrong: Encryption is applied to all storage tiers equally — Standard, Nearline, Coldline, and Archive are all encrypted by default.
- D
Customers must purchase the Security Command Center Premium tier to enable data encryption.
Why wrong: Security Command Center is a security monitoring service; it doesn't control data encryption. Encryption is automatic and included in the base service at no additional charge.
A security architect wants to implement a 'never trust, always verify' security approach where no user or service is assumed to be trustworthy based on network location alone. Every access request must be authenticated and authorized regardless of whether it comes from inside or outside the corporate network. Which security model describes this approach?
Trap 1: Perimeter security model
Perimeter security (castle and moat) trusts everything inside the network perimeter. Zero Trust is the opposite — it distrusts all requests regardless of network location.
Trap 2: Defense in depth model
Defense in depth uses multiple security layers. While complementary to Zero Trust, it doesn't specifically describe the 'verify every request regardless of network location' principle.
Trap 3: Principle of least privilege
Least privilege grants only the minimum permissions needed — an important security principle but not the same as Zero Trust's 'always verify regardless of network location' approach.
- A
Perimeter security model
Why wrong: Perimeter security (castle and moat) trusts everything inside the network perimeter. Zero Trust is the opposite — it distrusts all requests regardless of network location.
- B
Zero Trust security model
Zero Trust requires authentication and authorization for every request, regardless of network origin. 'Never trust, always verify' is the defining principle of Zero Trust.
- C
Defense in depth model
Why wrong: Defense in depth uses multiple security layers. While complementary to Zero Trust, it doesn't specifically describe the 'verify every request regardless of network location' principle.
- D
Principle of least privilege
Why wrong: Least privilege grants only the minimum permissions needed — an important security principle but not the same as Zero Trust's 'always verify regardless of network location' approach.
A company is evaluating Google Cloud and wants to know: what is Access Transparency, and how does it benefit customers with stringent governance requirements?
Trap 1: Access Transparency shows customers which Google Cloud services are…
Regional service availability is documented in Google Cloud's documentation, not in Access Transparency. Access Transparency specifically logs Google personnel access to customer content.
Trap 2: Access Transparency is a feature that makes all customer data…
This is the opposite of Access Transparency's purpose. It exists to make Google's access to customer data visible to customers, not to make customer data visible to Google.
Trap 3: Access Transparency provides customers with real-time dashboards of…
Security vulnerability dashboards are provided by Security Command Center. Access Transparency is specifically about logging Google staff's access to customer content.
- A
Access Transparency shows customers which Google Cloud services are available in their region.
Why wrong: Regional service availability is documented in Google Cloud's documentation, not in Access Transparency. Access Transparency specifically logs Google personnel access to customer content.
- B
Access Transparency logs when Google Cloud personnel access customer content, providing an audit trail for governance.
Access Transparency near-real-time logs capture: what Google personnel accessed, why (business justification), and when — giving enterprises visibility and audit evidence for sovereign data governance requirements.
- C
Access Transparency is a feature that makes all customer data visible to Google for quality improvement.
Why wrong: This is the opposite of Access Transparency's purpose. It exists to make Google's access to customer data visible to customers, not to make customer data visible to Google.
- D
Access Transparency provides customers with real-time dashboards of their application's security vulnerabilities.
Why wrong: Security vulnerability dashboards are provided by Security Command Center. Access Transparency is specifically about logging Google staff's access to customer content.
A development team builds a mobile app using Firebase. They need a real-time database that syncs data across all connected clients instantly (e.g., a collaborative to-do app where all users see updates in real-time). Which Firebase/Google Cloud service provides this?
Trap 1: Cloud SQL with read replicas to distribute updates to clients.
Cloud SQL is a relational database for traditional applications. It doesn't provide native real-time client synchronization — clients would need to poll for updates.
Trap 2: BigQuery streaming inserts for real-time data delivery to mobile…
BigQuery streaming inserts write analytical data to BigQuery — it's not designed for real-time client-facing data synchronization in mobile apps.
Trap 3: Cloud Pub/Sub subscriptions on the mobile clients.
While Pub/Sub delivers messages, mobile clients don't directly subscribe to Pub/Sub topics. Firebase SDKs abstract the real-time synchronization mechanism for mobile/web clients.
- A
Cloud SQL with read replicas to distribute updates to clients.
Why wrong: Cloud SQL is a relational database for traditional applications. It doesn't provide native real-time client synchronization — clients would need to poll for updates.
- B
Cloud Firestore or Firebase Realtime Database for real-time data sync across all connected clients.
Firestore provides real-time listeners — when data changes, the SDK automatically delivers updates to all subscribed clients. This enables truly real-time collaborative apps without polling.
- C
BigQuery streaming inserts for real-time data delivery to mobile clients.
Why wrong: BigQuery streaming inserts write analytical data to BigQuery — it's not designed for real-time client-facing data synchronization in mobile apps.
- D
Cloud Pub/Sub subscriptions on the mobile clients.
Why wrong: While Pub/Sub delivers messages, mobile clients don't directly subscribe to Pub/Sub topics. Firebase SDKs abstract the real-time synchronization mechanism for mobile/web clients.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.