Google Professional Cloud Architect (PCA) — Questions 751825

1000 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQhard

Your team is following an incident management process. After resolving a major incident, you are tasked with conducting a postmortem. What is the PRIMARY goal of the postmortem process in Google Cloud's recommended approach?

A.Understand the root cause and implement changes to prevent recurrence
B.Document the incident timeline and communicate it to stakeholders
C.Calculate the financial impact and bill the responsible team
D.Identify the individual responsible for the incident and take corrective action
AnswerA

The primary goal is to learn and improve.

Why this answer

Google's Site Reliability Engineering (SRE) approach emphasizes blameless postmortems. The primary goal is to learn from the incident and improve the system to prevent recurrence, not to assign blame or track individual performance.

752
MCQeasy

A company deploys a web application on Compute Engine behind an HTTP Load Balancer. They want to ensure only healthy instances receive traffic. What should they configure?

A.Configure the instance group autoscaling based on CPU utilization
B.Configure an HTTP health check with a custom request path that returns a 200 status
C.Configure a TCP health check on port 80
D.Configure an SSL health check to verify TLS handshake
AnswerB

HTTP health check validates the application layer by checking a specific endpoint.

Why this answer

Option B is correct because an HTTP health check with a custom request path that returns a 200 status allows the HTTP Load Balancer to verify that the web application is actually serving requests correctly. This ensures that only instances passing the application-level health check are considered healthy and receive traffic, preventing requests from being routed to instances that may be running but not serving the expected content.

Exam trap

The trap here is that candidates often confuse health checks with autoscaling metrics, assuming that CPU-based autoscaling alone ensures traffic is only sent to healthy instances, when in fact health checks are a separate mechanism required for load balancer traffic routing.

How to eliminate wrong answers

Option A is wrong because autoscaling based on CPU utilization manages the number of instances but does not determine which instances are healthy for traffic routing; the load balancer still needs health checks to decide which instances to send traffic to. Option C is wrong because a TCP health check on port 80 only verifies that the TCP port is open, not that the web application is responding correctly; an instance could have a listening port but return errors or be unresponsive at the application layer. Option D is wrong because an SSL health check verifies the TLS handshake, which is unnecessary for HTTP traffic and does not validate the application's response; it is designed for HTTPS backends, not plain HTTP.

753
MCQhard

Refer to the exhibit. The log entry is from Cloud Logging for a VPC subnetwork. What is the most likely cause of this error?

A.A firewall rule blocking ingress on port 80.
B.The subnetwork default has no internet gateway.
C.The VM at 10.0.0.2 is not running.
D.The packet is malformed.
AnswerA

The error message attributes the drop to firewall policy 'default-deny-ingress'.

Why this answer

The log entry indicates a packet was dropped by a firewall rule. Since the destination is 10.0.0.2 on port 80 (HTTP), the most likely cause is a firewall rule blocking ingress traffic on port 80. In Google Cloud VPC, firewall rules are stateful and evaluated before any routing decisions, so a missing or misconfigured ingress rule for TCP port 80 would cause this drop.

Exam trap

Google Cloud often tests the distinction between firewall drops and routing failures; the trap here is that candidates may confuse a firewall rule drop with a missing internet gateway or an unreachable VM, but the log entry's 'firewall' field explicitly indicates a firewall decision, not a routing or connectivity issue.

How to eliminate wrong answers

Option B is wrong because the absence of an internet gateway would not cause a packet drop logged by a firewall rule; it would result in a routing failure (e.g., no route to internet), which is logged differently. Option C is wrong because if the VM at 10.0.0.2 were not running, the packet would be dropped at the hypervisor level (e.g., ICMP unreachable or no ARP response), not by a firewall rule. Option D is wrong because a malformed packet would typically be dropped at a lower network layer (e.g., by the NIC or kernel) and would not generate a firewall rule log entry; firewall rules inspect valid packets against policy.

754
MCQhard

A company runs a data analytics platform on Google Cloud using BigQuery, Dataflow, and Cloud Storage. They notice that Dataflow jobs are failing with 'out of memory' errors for certain large pipelines. The pipelines process variable amounts of data, sometimes spiking 10x normal. Which strategy should they use to handle these spikes cost-effectively?

A.Manually monitor the job and increase the number of workers when a spike is detected.
B.Increase the machine type of the workers to a high-memory type and disable autoscaling.
C.Configure the Dataflow pipeline to use autoscaling with a higher maximum number of workers and use preemptible VMs for cost savings.
D.Use Dataflow Streaming Engine to offload state to persistent storage and reduce memory usage.
AnswerC

Autoscaling adjusts workers dynamically; preemptible VMs reduce cost for fault-tolerant work.

Why this answer

Option C is correct because Dataflow's autoscaling can dynamically add workers to handle sudden data spikes, and using preemptible VMs significantly reduces cost for batch pipelines that can tolerate interruptions. This approach avoids manual intervention and over-provisioning, making it cost-effective for variable workloads.

Exam trap

Google Cloud often tests the distinction between batch and streaming optimizations, and candidates mistakenly apply Streaming Engine (designed for stateful streaming) to batch pipelines suffering from memory spikes, missing the cost-effective autoscaling with preemptible VMs strategy.

How to eliminate wrong answers

Option A is wrong because manual monitoring and scaling is not cost-effective or reliable for unpredictable spikes; it introduces latency and operational overhead. Option B is wrong because disabling autoscaling and using a fixed high-memory machine type leads to over-provisioning during normal loads and cannot handle spikes beyond the fixed capacity, wasting resources. Option D is wrong because Dataflow Streaming Engine is designed for streaming pipelines to reduce memory usage by offloading state, but the question describes batch pipelines (Dataflow jobs processing variable data amounts), and it does not address the root cause of memory exhaustion during large batch spikes.

755
MCQmedium

A developer needs to build a serverless event-driven application that responds to Cloud Storage object uploads by processing the file and storing results in Firestore. Which compute service is the best fit?

A.Cloud Functions
B.App Engine Flexible Environment
C.Cloud Run for Anthos
D.Compute Engine with startup scripts
AnswerA

Cloud Functions can be triggered by Cloud Storage events, scales automatically, and charges only for execution time.

Why this answer

Cloud Functions is a serverless event-driven compute service that can be triggered directly by Cloud Storage events, ideal for simple processing tasks.

756
MCQmedium

A company needs to connect their on-premises data center to Google Cloud with a dedicated, low-latency connection that provides a Service Level Agreement (SLA) of 99.99% uptime. They anticipate high bandwidth usage (10 Gbps). Which connectivity option should they choose?

A.Cloud VPN with static routing
B.Cloud CDN
C.Partner Interconnect
D.Dedicated Interconnect
AnswerD

Direct private connection, up to 10 Gbps, 99.99% SLA with redundancy.

Why this answer

Dedicated Interconnect provides a direct physical connection between on-premises and GCP, offers up to 10 Gbps per circuit, and comes with a 99.99% SLA when configured with redundant connections.

757
MCQmedium

A company uses Cloud Build to deploy a Java application to Artifact Registry. They want to automatically trigger a build only when changes are pushed to the 'main' branch in their Cloud Source Repository. Which configuration should they use?

A.Configure a Cloud Function that listens for Pub/Sub messages from Cloud Source Repo and calls Cloud Build API
B.Create a Cloud Build trigger with an included branch filter set to '^main$'
C.Create a Cloud Scheduler job that runs a Pub/Sub push to Cloud Build every hour
D.Use a Cloud Build build step that checks the branch name and aborts if not main
AnswerB

The branch filter '^main$' ensures only pushes to the main branch trigger a build.

Why this answer

Cloud Build triggers can be configured with a branch filter (regex) to trigger builds only on specific branches. The trigger is set to watch the repository and fire on push events matching the branch pattern. Using a Cloud Scheduler with Pub/Sub is an alternative for scheduled builds, but not for push-based triggers.

758
MCQeasy

A team wants to define an SLO for a service that requires 99.9% availability over a 30-day window. They need to measure the ratio of successful requests to total requests. Which SLI should they use?

A.Request success rate
B.SRE
C.Request latency
D.Error budget
AnswerA

The proportion of successful requests is the standard SLI for availability.

Why this answer

An SLI is a measure of service performance. For availability, the standard SLI is the proportion of successful requests (e.g., HTTP 2xx) to total requests. Latency SLI measures response times.

Error budget is derived from SLO. SRE is the practice.

759
Multi-Selecteasy

Which THREE practices are recommended for organizing projects in a Google Cloud organization?

Select 3 answers
A.Create a separate project to hold organization policies.
B.Use a separate project for each environment (e.g., development, staging, production).
C.Apply IAM policies at the folder level instead of the organization level when possible.
D.Use a shared VPC host project for multiple service projects to centralize network management.
E.Consolidate all production resources into a single project for simplicity.
AnswersB, C, D

Separate projects isolate environments and allow independent management and billing.

Why this answer

Option B is correct because using separate projects for each environment (development, staging, production) enforces resource isolation, prevents accidental cross-environment changes, and allows independent IAM policies, billing, and quotas. This aligns with Google Cloud's recommended resource hierarchy best practices for managing lifecycle and security boundaries.

Exam trap

The trap here is that candidates often confuse the purpose of organization policies with project-level resources, mistakenly thinking a separate project is needed to hold policies, when in fact policies are inherited through the resource hierarchy (organization → folder → project).

760
Multi-Selectmedium

A company wants to improve the reliability of their microservices architecture on Google Cloud. Which TWO practices should they implement? (Choose 2)

Select 2 answers
A.Design with a single point of failure for simplicity
B.Implement retry with exponential backoff
C.Use synchronous communication between all services
D.Implement circuit breaker pattern
E.Disable health checks to reduce latency
AnswersB, D

Retry with backoff handles transient failures without overwhelming the system.

Why this answer

B is correct because implementing retry with exponential backoff allows transient failures (e.g., network timeouts, temporary service unavailability) to be handled gracefully by automatically retrying the request after increasing delays, reducing load on the recovering service. This pattern is essential in microservices on Google Cloud to improve reliability without overwhelming downstream dependencies.

Exam trap

Google Cloud often tests the misconception that synchronous communication is more reliable because it provides immediate feedback, but in distributed systems, asynchronous patterns and resilience mechanisms like retries and circuit breakers are actually critical for reliability.

761
MCQeasy

A company wants to ensure that all access to their Cloud Storage bucket is logged for compliance purposes. Which type of audit log should they enable?

A.Admin Activity audit logs
B.Data Access audit logs
C.System Event audit logs
D.Access Transparency logs
AnswerB

Data Access logs capture read and write operations on data.

Why this answer

Data Access audit logs record every access to user data. Admin Activity logs record administrative actions; System Event logs record GCP actions; Access Transparency logs record Google support access.

762
Multi-Selecthard

A data analytics team wants to build a pipeline that processes files from a Cloud Storage bucket, transforms the data, and loads it into BigQuery. They want to trigger the pipeline only when new files arrive. Which THREE services can be used together to achieve this? (Choose 3.)

Select 3 answers
A.Cloud Scheduler
B.Cloud Storage triggers for Cloud Functions
C.Cloud Build triggers
D.Cloud Workflows
E.BigQuery Data Transfer Service
AnswersB, D, E

Cloud Functions can be triggered on object creation in Cloud Storage.

Why this answer

Cloud Functions can be triggered by Cloud Storage events (e.g., object finalize). Cloud Workflows can orchestrate multiple steps. Cloud Build is for CI/CD, not event-driven data processing.

Cloud Scheduler is for scheduled jobs, not event triggers. Cloud Run can be invoked by Cloud Functions or eventarc, but the direct trigger from storage is via Cloud Functions or Eventarc.

763
MCQmedium

Refer to the exhibit. A user creates a Cloud SQL for PostgreSQL instance and a Compute Engine VM. The VM cannot connect to the database. What is the most likely cause?

A.The Cloud SQL instance requires SSL connections, and the client is not using SSL.
B.The Cloud SQL instance does not have a private IP assigned, but the VM is attempting to connect using the private IP.
C.The VM's firewall is blocking egress to port 5432 on the Cloud SQL public IP.
D.The authorized networks setting is too permissive; it should be restricted to the VM's public IP.
AnswerB

Correct: The '--assign-ip' flag only assigns a public IP. To use private IP, the instance needs to be configured with a private network. The VM likely uses the private IP because it is in the same region, but the instance doesn't have one.

Why this answer

The Cloud SQL instance has authorized networks set to 0.0.0.0/0, which allows all IPs. However, the instance has a public IP, and the VM has an external IP. The connection fails with timeout, suggesting that the traffic is not reaching the database.

This could be due to the database not having SSL enforced, but that would cause a different error. The most likely cause is that the Cloud SQL instance is not configured to allow connections from the VM's public IP, because authorized networks only apply to connections using the public IP. But the exhibit shows it's set to 0.0.0.0/0, so that should work.

Another possibility: the VM is trying to connect to the private IP of the Cloud SQL instance, but the instance does not have a private IP. The exhibit shows '--assign-ip' which assigns a public IP, but does not assign a private IP. The VM might be trying to connect to the private IP, which doesn't exist.

However, the error is 'connection timed out', which suggests the client cannot reach the IP. If the client is using the public IP, the firewall on the VM allows egress. The issue could be that the Cloud SQL instance's public IP is not reachable from the VM's network due to VPC firewall rules? But the VM's firewall allows egress to 0.0.0.0/0.

The most likely cause is that the Cloud SQL instance does not have a private IP, and the VM is trying to connect via private IP. But the user might be using the correct public IP. Another common issue: the Cloud SQL instance requires SSL, but the client is not using SSL.

However, that would give a different error like 'SSL required'. The timeout suggests network connectivity. Given the exhibit, the Cloud SQL instance has only a public IP and authorized networks allow all IPs, so the issue is likely that the VM is trying to connect using the instance's private IP, which doesn't exist.

Alternatively, the VM might be in a different VPC and peering is not set up. But the question says 'different VPC'. Since the instance has a public IP, the VM can connect via public IP regardless of VPC.

The most plausible answer is that the Cloud SQL instance does not have a private IP, and the user is trying to connect to the private IP. However, the exhibit doesn't show the connection string. Another possibility: the user has not enabled public IP access from the VM's network? No, authorized networks allow all.

I think the intended answer is that the Cloud SQL instance does not have a private IP, so the VM, if using private IP, cannot connect. But the question says 'connection fails', so we need to infer. Let me craft options.

764
Multi-Selectmedium

A company needs to allow a third-party auditor to view all Compute Engine resources in a project but not allow any modifications. The auditor must not have access to any other services. Which THREE steps should be taken?

Select 3 answers
A.Grant the 'Viewer' primitive role (roles/viewer)
B.Grant the 'Compute Viewer' role (roles/compute.viewer)
C.Ensure no other IAM roles are granted to the auditor
D.Assign the role at the project level
E.Assign the role at the resource (VM) level
AnswersB, C, D

Compute Viewer provides read-only access to Compute Engine resources.

Why this answer

The correct IAM role is Compute Viewer. To restrict access to only Compute Engine, do not grant other roles. The viewer role should be assigned at the project level to cover all Compute resources.

765
MCQhard

A company is deploying a multi-tenant SaaS application on GKE. Each tenant's data must be isolated at the network level. They want to use a single GKE cluster but ensure that pods from different tenants cannot communicate with each other. Which GCP feature should they use?

A.Istio service mesh
B.VPC Service Controls
C.Kubernetes Network Policies
D.GKE Sandbox
AnswerC

Network Policies can restrict pod-to-pod traffic based on labels and namespaces, providing tenant isolation.

Why this answer

Kubernetes Network Policies allow you to define rules for pod-to-pod communication within a cluster, enabling tenant isolation. GKE Sandbox provides stronger isolation at the kernel level but is not specifically for network isolation. VPC Service Controls are for Google Cloud services, not pod-level.

Istio can also provide network control but is a more complex mesh.

766
Multi-Selecthard

A company runs a microservices-based application on Google Kubernetes Engine (GKE) with a Regional cluster. They want to improve reliability by implementing best practices for pod scheduling and resilience. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Set terminationGracePeriodSeconds to 0 for faster pod termination during scale-down
B.Enable cluster autoscaler to automatically add nodes when pods are pending
C.Define a PodDisruptionBudget for each deployment to limit the number of concurrent disruptions
D.Set resource requests equal to limits to ensure guaranteed QoS class
E.Configure pod anti-affinity to spread replicas across different zones
AnswersC, E

Correct: PDB ensures minimum availability during voluntary disruptions.

Why this answer

Option C is correct because a PodDisruptionBudget (PDB) limits the number of Pods of a replicated application that can be down simultaneously from voluntary disruptions, such as node maintenance or cluster upgrades. This ensures that a minimum number of replicas remain available, improving application reliability during planned events.

Exam trap

Google Cloud often tests the distinction between voluntary disruptions (handled by PDB) and involuntary disruptions (e.g., node failure), and the trap here is that candidates confuse resource optimization (requests/limits) or scaling (cluster autoscaler) with resilience mechanisms like PDB and anti-affinity.

767
MCQhard

Refer to the exhibit. The HPA is configured to scale based on CPU, but it has not scaled up despite the CPU usage being above the target. Which is the most likely cause?

A.The cluster has autoscaling enabled, which may conflict with HPA.
B.The node pool oauthScopes lack the monitoring scope required for HPA to read metrics.
C.The HPA target is 80%, but the current CPU is 90% which should trigger scaling; the HPA may be broken.
D.The HPA min replicas is 3, so it cannot scale down, but it should scale up.
AnswerB

Without the monitoring scope, the HPA cannot retrieve CPU metrics from the nodes.

Why this answer

The node pool uses a service account with devstorage.read_only scope, which does not include the required permissions for the HPA to read metrics. The HPA needs the monitoring scope or a service account with monitoring roles to access CPU metrics.

768
MCQhard

A company needs to store archival data that is accessed less than once a year, with retrieval times of up to 12 hours acceptable. The data must be kept for 10 years for compliance. What is the most cost-effective Cloud Storage solution?

A.Cloud Storage Coldline class with a retention policy
B.Cloud Storage Nearline class
C.Cloud Storage Archive class with a lifecycle policy that deletes objects after 10 years
D.Cloud Storage Standard class with object versioning
AnswerC

Archive class is cheapest for infrequently accessed data; lifecycle deletion meets compliance requirements.

Why this answer

Cloud Storage Archive class is designed for long-term preservation with the lowest storage cost, and retrieval times of minutes to hours are acceptable.

769
MCQeasy

A company is deploying a web application on Google Kubernetes Engine (GKE) and needs to ensure that the application's service account can only pull images from a specific Container Registry repository. What is the best practice to enforce this?

A.Use Workload Identity and grant the Kubernetes service account's associated Google service account the roles/storage.objectViewer role on the registry bucket.
B.Grant the Compute Engine default service account the roles/storage.objectViewer role on the registry bucket.
C.Set an IAM policy on the pod directly using the 'gke-default' service account.
D.Create an IAM condition on the node pool's service account that limits access to the registry bucket.
AnswerA

Workload Identity binds pod identity to a GSA, and bucket-level IAM restricts access.

Why this answer

Option B is correct because Workload Identity allows you to bind a Kubernetes service account to a Google service account, and you can then grant the GSA only the roles/storage.objectViewer role on the specific registry bucket. Option A is wrong because IAM conditions on the node pool affect the nodes, not the pods. Option C is wrong because granting access at the project level is too broad.

Option D is wrong because there is no direct IAM for the pod.

770
MCQeasy

A startup wants to encrypt data at rest in Cloud Storage using Customer-Managed Encryption Keys (CMEK). They have already created a Cloud KMS key ring and key. What additional step is required to enable CMEK for a new Cloud Storage bucket?

A.Enable the Cloud KMS API in the project where the bucket will reside.
B.Create a Cloud HSM key instead, as CMEK requires HSM.
C.Add a label to the key ring to associate it with the bucket.
D.Grant the Cloud Storage service account the Cloud KMS CryptoKey Encrypter/Decrypter role on the key.
AnswerD

The service account that Cloud Storage uses must be authorized to use the key.

Why this answer

Option A is correct because the Cloud Storage service account needs permission to encrypt and decrypt with the CMEK key. Option B is wrong because the key ring does not require a label. Option C is wrong because Cloud HSM is not required for CMEK, though it can be used.

Option D is wrong because no API enablement is needed beyond what is already done.

771
Multi-Selectmedium

A company is migrating a large on-premises data warehouse to BigQuery. The data includes sensitive customer information that must be encrypted at rest and in transit. They also need to mask credit card numbers for analysts who do not have a need to see the full number. Which TWO Google Cloud services should they use? (Choose 2.)

Select 2 answers
A.Cloud Identity-Aware Proxy (IAP)
B.Cloud Data Loss Prevention (DLP)
C.Cloud Data Catalog and policy tags
D.Cloud Audit Logs
E.Cloud Key Management Service (KMS)
AnswersB, C

DLP can inspect and de-identify sensitive data, such as masking credit card numbers, before storing in BigQuery.

Why this answer

BigQuery supports column-level security via policy tags using Data Catalog. Data Loss Prevention (DLP) can automatically classify and mask sensitive data such as credit card numbers. Cloud Key Management Service (KMS) is for managing encryption keys but not for masking.

Cloud Audit Logs are for auditing, not masking. Cloud Identity-Aware Proxy (IAP) controls access at the application level, not for data masking.

772
Multi-Selecthard

A company is running a multi-region application on Google Kubernetes Engine with workloads in us-central1 and europe-west1. They want to route traffic to the closest region based on user location. Which three components should they configure? (Choose three.)

Select 3 answers
A.Cloud Armor security policy
B.Cloud DNS with geo-routing policy
C.Network endpoint groups (NEGs) pointing to GKE pods
D.Regional internal load balancer
E.Global external HTTP(S) load balancer
AnswersB, C, E

Routes DNS queries to the closest region's load balancer IP.

Why this answer

Option B is correct because Cloud DNS geo-routing policy directs DNS queries to the closest healthy backend based on the user's geographic location, enabling traffic to be routed to the nearest GKE region (us-central1 or europe-west1). This is essential for minimizing latency and optimizing user experience in a multi-region setup.

Exam trap

The trap here is that candidates often confuse Cloud Armor's security filtering capabilities with traffic routing, or mistakenly think a regional internal load balancer can handle multi-region traffic, when in fact only a global external HTTP(S) load balancer combined with geo-routing DNS and NEGs can achieve proximity-based routing across regions.

773
MCQhard

A company uses Cloud KMS with CMEK to encrypt data stored in BigQuery. They need to audit who has used the encryption key and when. Which type of audit log should they enable?

A.Network Security audit logs
B.Admin Activity audit logs
C.System Event audit logs
D.Data Access audit logs
AnswerD

Data Access logs capture who accessed data or performed cryptographic operations using Cloud KMS keys.

Why this answer

Cloud KMS operations (e.g., encrypt, decrypt) are recorded in Data Access audit logs. Admin Activity logs record configuration changes, not data access.

774
MCQeasy

Which GCP service should be used to automatically scale a GKE cluster's number of nodes based on pending pods?

A.Vertical Pod Autoscaler (VPA)
B.Cluster Autoscaler
C.Node Auto-Provisioning
D.Horizontal Pod Autoscaler (HPA)
AnswerB

Cluster Autoscaler automatically adds or removes nodes in a node pool based on pod scheduling needs.

Why this answer

The cluster autoscaler adjusts the number of nodes in node pools based on pod resource requests. HPA scales pods, not nodes. VPA adjusts pod resource requests.

Node auto-provisioning is part of cluster autoscaler but the described functionality is cluster autoscaler.

775
Multi-Selectmedium

Which TWO statements are true regarding the benefits of using VPC Network Peering over Cloud VPN for connecting two VPC networks?

Select 2 answers
A.VPC Network Peering provides lower latency because traffic stays within Google's network.
B.VPC Network Peering requires a separate VPN gateway appliance.
C.Cloud VPN incurs egress costs for data transfer, while VPC Network Peering typically does not.
D.VPC Network Peering can only be established within the same organization.
E.Cloud VPN encrypts traffic, which VPC Network Peering does not.
AnswersA, C

Peering uses Google's internal network, avoiding internet hops, thus lower latency.

Why this answer

Option A is correct because VPC Network Peering uses Google's internal infrastructure to route traffic directly between VPC networks, avoiding the public internet and reducing the number of network hops. This results in lower latency compared to Cloud VPN, which typically encrypts and tunnels traffic over the public internet, introducing additional overhead and potential variability in latency.

Exam trap

The trap here is that candidates may confuse the lack of encryption in VPC Network Peering as a disadvantage, but the question asks for benefits, so encryption (Option E) is not a benefit of peering; instead, the lower latency and reduced egress costs are the key advantages.

776
Multi-Selectmedium

Which THREE are valid methods to connect an on-premises network to a Google Cloud VPC?

Select 3 answers
A.Dedicated Interconnect
B.Cloud VPN
C.Cloud Router
D.VPC peering
E.Partner Interconnect
AnswersA, B, E

Dedicated Interconnect provides direct physical connection.

Why this answer

Dedicated Interconnect (A) provides a direct physical connection between your on-premises network and Google Cloud, offering high bandwidth and a Service Level Agreement (SLA) of up to 99.99% availability. It uses a cross-connect in a colocation facility to attach your on-premises router to a Google Cloud router, enabling private, low-latency connectivity to your VPC without traversing the public internet.

Exam trap

The trap here is that candidates confuse Cloud Router as a standalone connectivity method, when it is actually a routing component that must be paired with a VPN tunnel or Interconnect to function.

777
MCQhard

A multinational corporation operates in multiple regions and must comply with GDPR. They use Cloud Load Balancing to distribute traffic across regional backends. Their security team wants to block traffic from specific countries (e.g., non-EU countries) at the edge. What should they use?

A.Configure Cloud CDN to serve content only to EU-based users.
B.Use Cloud Armor security policies with geographic-based denylist rules.
C.Set VPC firewall rules to allow traffic only from EU IP ranges.
D.Configure Identity-Aware Proxy (IAP) to require user authentication from allowed countries.
AnswerB

Cloud Armor can block traffic from specific countries at the Google Cloud edge.

Why this answer

Cloud Armor security policies support geographic-based access control using denylist or allowlist rules that match client IP addresses against country-level geolocation data. This allows the security team to block traffic from specific countries at the edge, before it reaches the backend, which is the most efficient and compliant approach for GDPR enforcement.

Exam trap

The trap here is that candidates often confuse VPC firewall rules (which filter by IP ranges) with Cloud Armor's geolocation-based policies, or they assume Cloud CDN or IAP can enforce geographic access control, when in fact only Cloud Armor provides native country-level blocking at the edge.

How to eliminate wrong answers

Option A is wrong because Cloud CDN caches content but does not enforce geographic access control; it can serve cached content to any user regardless of location, and its 'geo restrictions' are only for signed URLs, not for blocking traffic at the edge. Option C is wrong because VPC firewall rules operate at the network layer and cannot reliably block traffic based on country-level geolocation; they only filter by IP ranges, which are not accurate for country-level blocking due to IP reassignment and lack of granularity. Option D is wrong because Identity-Aware Proxy (IAP) controls access based on user identity and context, not on the geographic origin of the IP address; it cannot block traffic at the edge based solely on country.

778
MCQmedium

A company runs a web application on Compute Engine with an HTTP Load Balancer. Users report intermittent 502 Bad Gateway errors. What is the most likely cause?

A.Load balancer quota exceeded.
B.Firewall rules block health checks.
C.SSL certificate expired.
D.Backend instances are unhealthy or overloaded.
AnswerD

502 Bad Gateway typically means the backend is not responding properly.

Why this answer

The 502 Bad Gateway error from an HTTP Load Balancer typically indicates that the backend instances are failing to respond to the load balancer's health checks or are overwhelmed, causing the load balancer to consider them unhealthy and return a 502 error. This is the most common cause because the load balancer relies on healthy backends to forward traffic, and overloaded or failing instances cannot handle requests.

Exam trap

The trap here is that candidates often confuse 502 errors with SSL or quota issues, but the PCA exam specifically tests that 502 errors from an HTTP Load Balancer are almost always due to backend unavailability or overload, not frontend configuration problems.

How to eliminate wrong answers

Option A is wrong because exceeding a load balancer quota would result in a 429 Too Many Requests or a 503 Service Unavailable error, not a 502 Bad Gateway. Option B is wrong because firewall rules blocking health checks would cause the load balancer to mark backends as unhealthy, but the error would typically be a 502 only if the health check fails and no healthy backends remain; however, the question asks for the most likely cause, and overloaded backends are more common than misconfigured firewalls in intermittent 502 scenarios. Option C is wrong because an expired SSL certificate on the load balancer would cause SSL handshake failures and a 502 error only if the certificate is used for backend-to-load-balancer communication, but the load balancer terminates SSL and uses its own certificate; an expired certificate on the backend would not cause a 502 from the load balancer's perspective.

779
MCQeasy

Your company has migrated its legacy web application from a single Compute Engine instance to a managed instance group (MIG) behind an HTTP(S) load balancer. The application was updated to a new version as part of the migration. After the migration, users report intermittent 502 Bad Gateway errors. The application logs show no errors, and the load balancer backend health checks are reported as healthy. On investigation, the developers discover that the new version requires a specific environment variable for authentication to a downstream service. This variable was set manually on the original instance but is missing from the MIG's instance template. The health check endpoint does not depend on this variable and always returns a 200 status even when the variable is absent. As a result, instances created from the template are considered healthy by the load balancer, but when they receive requests that require authentication, they fail and return a 502 error to the client. What is the most likely cause of the 502 errors?

A.The missing environment variable causes authentication failures on new instances.
B.The health check is configured to check the old application path, which no longer exists.
C.The load balancer's backend timeout is too short for the application's response time.
D.The MIG is not scaling out fast enough to handle peak traffic.
AnswerA

The environment variable is essential for authentication; its absence causes requests to fail with 502 errors. Health checks pass because they do not exercise that code path.

Why this answer

The 502 errors occur because the new application version requires a specific environment variable for authentication to a downstream service. The health check endpoint does not depend on this variable, so instances are marked healthy even though they cannot authenticate real requests. When the load balancer routes traffic to these instances, the missing variable causes authentication failures, leading to 502 Bad Gateway errors.

Exam trap

The trap here is that candidates assume healthy health checks guarantee the application is fully functional, but Cisco tests the nuance that health checks may not cover all dependencies, leading to 'false healthy' instances that fail on real requests.

How to eliminate wrong answers

Option B is wrong because the health check is reported as healthy, indicating it is hitting a valid endpoint (the old path would cause health check failures, not intermittent 502s). Option C is wrong because backend timeout issues would typically cause 504 Gateway Timeout errors, not 502 Bad Gateway errors, and the application logs show no errors. Option D is wrong because scaling issues would cause 503 Service Unavailable errors or increased latency, not 502 errors, and the MIG is not reported as overloaded.

780
Multi-Selectmedium

A company wants to implement a zero-trust access model for internal web applications running on Compute Engine. They need to authenticate users using corporate credentials and enforce context-aware access based on device posture and IP address. Which TWO services should they use?

Select 2 answers
A.VPC Service Controls
B.Cloud VPN
C.Cloud Identity
D.Cloud Armor
E.Identity-Aware Proxy (IAP)
AnswersC, E

Cloud Identity provides corporate identity management and SSO.

Why this answer

Identity-Aware Proxy (IAP) provides context-aware access control and integrates with Cloud Identity for authentication. Device posture and IP can be assessed via Access Context Manager (part of VPC Service Controls) or IAP's own context conditions.

781
MCQeasy

Your company runs a global e-commerce platform on Google Cloud. The application is deployed across multiple regions for low latency. You use Cloud SQL for transactional data and Cloud Spanner for global consistency of inventory. Recently, the operations team reported that the application is experiencing increased latency during peak hours, and the monthly cloud bill has risen significantly. Upon investigation, you find that the Cloud SQL instance is underutilized (CPU < 20%) while Cloud Spanner split utilization is over 80%. The application instances are fronted by a global external HTTPS load balancer. Network egress costs are high. Which course of action would best address both the latency and cost issues?

A.Reduce the Cloud SQL instance tier to a lower machine type to save costs, and add read replicas in other regions for failover.
B.Add more nodes to the Cloud SQL instance and enable automatic storage increase to handle peak loads.
C.Increase the number of splits in Cloud Spanner to reduce hot spots, and configure Cloud CDN in front of the load balancer to cache static content.
D.Move the transactional database to Cloud Spanner and decommission Cloud SQL to reduce complexity.
AnswerC

Increasing splits improves Spanner performance; Cloud CDN reduces egress costs and latency for static content.

Why this answer

The symptoms suggest that the Cloud SQL instance is underutilized, but Cloud Spanner is near capacity, causing potential contention. The high egress costs could be due to cross-region traffic. Option C is the best because scaling Cloud Spanner split utilization (by adding splits or nodes) will improve throughput and reduce latency, and using Cloud CDN reduces egress costs by caching content at edge locations.

Option A might increase costs without addressing Spanner bottleneck. Option B adds more Cloud SQL instances, which are already underutilized. Option D focuses on cloud SQL only, not Spanner.

782
MCQeasy

You need to create a Cloud Logging sink that exports logs to a BigQuery dataset for long-term analysis. Which destination type should you specify?

A.Cloud Storage
B.BigQuery
C.Pub/Sub
D.Custom HTTP endpoint
AnswerB

BigQuery is a sink destination for logs.

Why this answer

BigQuery is a supported sink destination. Cloud Storage, Pub/Sub, and custom HTTP endpoints are also supported, but for analysis in BigQuery, you specify BigQuery as the destination.

783
MCQhard

You have a Cloud Deploy delivery pipeline with an approval gate. You want to automatically roll back a release if the rollout fails during the deploy step. How should you configure the pipeline?

A.Set an automatic rollback policy in the delivery pipeline definition
B.Use a Cloud Build post-deploy hook to check the rollout status and roll back if needed
C.Configure the approval gate to reject the deployment if it fails
D.Enable the 'rollback on failure' flag in the pipeline
AnswerB

You can use Cloud Build to monitor the rollout and trigger a rollback via gcloud commands.

Why this answer

Cloud Deploy does not automatically roll back on failure. You can set up a Cloud Build trigger or a Cloud Function to watch rollout status and perform a rollback, but it is not built-in. The question tests understanding of Cloud Deploy's capabilities.

784
MCQeasy

Your organization wants to use Cloud SQL for a MySQL database with automatic failover in the event of a zone outage. Which configuration should you choose?

A.Set up Cloud SQL with external replication to a VM in another zone
B.Create a Cloud SQL instance with a cross-region read replica
C.Create a single-zone Cloud SQL instance with automatic backups enabled
D.Create a regional Cloud SQL instance (high availability) with a primary and standby zone
AnswerD

Regional instances provide automatic failover.

Why this answer

Cloud SQL provides high availability by creating a primary instance in one zone and a standby instance (failover replica) in another zone within the same region. Automatic failover is enabled when you create a regional Cloud SQL instance. A read replica does not provide automatic failover.

785
Multi-Selecthard

A company is designing a disaster recovery plan for a critical application running on Compute Engine with data in Cloud SQL. They require a Recovery Time Objective (RTO) of 1 hour and a Recovery Point Objective (RPO) of 5 minutes. Which THREE actions should they take? (Choose THREE.)

Select 3 answers
A.Configure a Cloud SQL cross-region replica in the DR region
B.Enable Cloud SQL automatic storage increase
C.Set up Cloud DNS failover with weighted routing
D.Create a managed instance group in the DR region
E.Use Cloud CDN to cache static content globally
AnswersA, C, D

Provides near real-time replication meeting RPO of 5 minutes.

Why this answer

Cloud SQL replica in another region provides cross-region replication with RPO of seconds to minutes. Managed instance group in the DR region allows quick failover of compute. Cloud DNS with weighted routing can direct traffic to the DR region upon failover, meeting RTO within 1 hour.

786
Multi-Selecthard

An organization needs to comply with FedRAMP requirements and restrict data storage to specific regions. They also need to audit all admin activities and data access. Which three components should they implement? (Choose three.)

Select 3 answers
A.VPC Service Controls
B.Data Access audit logs
C.Cloud Armor
D.Admin Activity audit logs
E.Assured Workloads
AnswersB, D, E

Why this answer

Assured Workloads enforces compliance controls (e.g., region restrictions). Admin Activity audit logs capture administrative actions, and Data Access audit logs capture data reads/writes for compliance.

787
MCQhard

Your company runs a multi-region web application on Google Kubernetes Engine (GKE) with pods that process sensitive user data. The application uses Cloud SQL for PostgreSQL as the backend database. Your security team has implemented the following controls: 1) All traffic to the database is encrypted using SSL/TLS. 2) The GKE cluster uses Workload Identity to bind Kubernetes service accounts to IAM service accounts. 3) The Cloud SQL instance is configured with a public IP address and authorized networks to allow only the GKE cluster's node IP ranges. 4) The database credentials are stored in Secret Manager and mounted as volumes in the pods. Recently, a security audit revealed that a pod was compromised due to a container vulnerability. The attacker was able to exfiltrate sensitive data directly from the Cloud SQL database using the credentials from Secret Manager. The security team wants to prevent such exfiltration in the future while minimizing changes to the application code. Which course of action should you recommend?

A.Deploy Cloud SQL Auth Proxy as a sidecar container in each pod, and configure IAM database authentication to replace static credentials.
B.Migrate the database to Cloud Spanner, which has built-in IAM integration and automatic encryption.
C.Rotate the database password and store the new password in Secret Manager, then update the application to fetch the password from Secret Manager at startup.
D.Change the Cloud SQL instance to use a private IP address and disable public access, ensuring only the GKE cluster can reach it via VPC peering.
AnswerA

Cloud SQL Auth Proxy with IAM authentication removes static credentials and uses IAM roles to control access, preventing credential exfiltration.

Why this answer

Option A is correct because deploying Cloud SQL Auth Proxy as a sidecar container enforces IAM-based authentication, eliminating static credentials that can be exfiltrated. The proxy also handles SSL/TLS encryption automatically and allows fine-grained access control via IAM permissions, so even if a pod is compromised, the attacker cannot reuse stolen credentials because they are tied to the pod's identity via Workload Identity. This approach requires minimal code changes since the application connects to localhost instead of the Cloud SQL public IP.

Exam trap

Google Cloud often tests the misconception that network-level controls (like private IPs) are sufficient to prevent data exfiltration from a compromised pod, but the real vulnerability is the use of static credentials that can be stolen and reused regardless of network isolation.

How to eliminate wrong answers

Option B is wrong because migrating to Cloud Spanner is a significant architectural change that requires rewriting application code and data modeling, which violates the requirement to minimize changes to the application code. Option C is wrong because rotating the password and storing it in Secret Manager does not prevent exfiltration; if a pod is compromised, the attacker can still read the new password from the mounted volume and reuse it to access the database directly. Option D is wrong because using a private IP and disabling public access only restricts network-level access; it does not prevent an attacker who has compromised a pod within the cluster from using the stored credentials to connect to the database over the private network.

788
Matchingmedium

Match each GCP security service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manage encryption keys

Hardware security module for key protection

Store API keys, passwords, certificates

Manage access control

Centralized security and risk management

Why these pairings

These are security services in GCP.

789
MCQhard

A company has a global web application deployed across multiple regions. They use an external HTTPS Load Balancer with backend services in us-central1 and europe-west1. They want users to be routed to the closest healthy backend. Which load balancing configuration is required?

A.Internal HTTP(S) Load Balancer
B.External HTTPS Load Balancer with global backend
C.External TCP/UDP Network Load Balancer
D.Classic Application Load Balancer
E.Regional external HTTPS Load Balancer
AnswerB

Correct. Global external HTTPS Load Balancer supports proximity-based routing.

Why this answer

Option B is correct because an External HTTPS Load Balancer with a global backend configuration uses Google Cloud's global anycast IP and the Premium Tier network to route users to the closest healthy backend based on latency and proximity. This setup ensures that traffic from users worldwide is directed to the nearest region (us-central1 or europe-west1) with a healthy instance group, providing optimal performance and failover.

Exam trap

The trap here is that candidates often confuse 'global' with 'regional' load balancers, mistakenly thinking a regional external HTTPS load balancer can serve multiple regions, but only the global external HTTPS load balancer supports cross-region backend services with anycast routing.

How to eliminate wrong answers

Option A is wrong because an Internal HTTP(S) Load Balancer is used for traffic within a VPC network, not for external user traffic from the internet. Option C is wrong because an External TCP/UDP Network Load Balancer operates at Layer 4 and does not support HTTPS termination, content-based routing, or global backend selection across regions. Option D is wrong because Classic Application Load Balancer is a legacy GCP resource that does not support global backends or cross-region routing; it is regionally scoped.

Option E is wrong because a Regional external HTTPS Load Balancer is confined to a single region and cannot route traffic to backends in multiple regions like us-central1 and europe-west1.

790
MCQmedium

An organization needs to run a stateful application on Google Kubernetes Engine (GKE) where the nodes are fully managed by Google and the application workload SLAs are guaranteed. They want to minimize operational overhead. Which GKE mode should they use?

A.GKE Standard with Cluster Autoscaler
B.GKE Standard with node auto-provisioning
C.GKE Standard with sole-tenant nodes
D.GKE Autopilot
AnswerD

Autopilot provides a fully managed cluster with workload SLAs and no node management overhead.

Why this answer

GKE Autopilot manages the entire node infrastructure including node provisioning, scaling, and maintenance. It provides workload-level SLAs (e.g., 99.95% for pods). Standard mode requires the user to manage node pools.

791
MCQmedium

You want to monitor the latency of an application running on Compute Engine and create an alert if the 99th percentile latency exceeds 500ms for more than 5 minutes. Which approach should you use?

A.Use Cloud Trace to analyze latency and set a trace-based alert
B.Use Error Reporting to capture latency errors
C.Create a Metric Threshold alert using the 'Latency' metric with a percentile alignment
D.Create a log-based metric from application logs and set an alert on that metric
AnswerC

Correct. Cloud Monitoring supports distribution metrics with percentile alignments.

Why this answer

Cloud Monitoring can create alerting policies based on distribution metrics (like latency) using percentile aggregations. You can define a metric threshold with a rolling window.

792
MCQmedium

A company is migrating hundreds of on-premises VMs to Compute Engine. They want to minimize manual effort and downtime. Which service should they use?

A.Cloud Build
B.gcloud compute instances import
C.Transfer Appliance
D.Migrate for Compute Engine
E.CloudEndure
AnswerD

Correct. It supports bulk migration with minimal downtime.

Why this answer

Migrate for Compute Engine (formerly Velostrata) is the correct choice because it is a fully managed service specifically designed for migrating large-scale VM workloads to Compute Engine with minimal downtime. It uses a streaming migration approach that moves the OS and application data while the source VM continues running, then performs a cutover with near-zero downtime, making it ideal for hundreds of VMs without manual effort.

Exam trap

The trap here is that candidates may confuse CloudEndure (a popular third-party migration tool) with a native Google Cloud service, or assume gcloud compute instances import is sufficient for large-scale live migrations, but the exam emphasizes using the dedicated, fully managed migration service for minimal downtime and automation.

How to eliminate wrong answers

Option A (Cloud Build) is wrong because it is a CI/CD service for building, testing, and deploying software artifacts, not for migrating on-premises VMs to Compute Engine. Option B (gcloud compute instances import) is wrong because it is a command-line tool for importing single VM images or disks, not designed for orchestrating hundreds of live VM migrations with minimal downtime. Option C (Transfer Appliance) is wrong because it is a physical hardware device for offline bulk data transfer to Google Cloud, not suitable for live VM migration with minimal downtime.

Option E (CloudEndure) is wrong because it is an AWS service (now part of AWS Application Migration Service), not a Google Cloud service; while it can migrate to GCP, it is not a native Google Cloud offering and the question asks for a service they should use, implying a Google-managed solution.

793
MCQmedium

A company wants to enforce that all secrets used by applications running on Compute Engine are rotated automatically every 30 days. Which GCP service should they use to store and manage these secrets?

A.Cloud Key Management Service with CMEK
B.Secret Manager
C.Environment variables
D.Cloud KMS
AnswerB

Why this answer

Secret Manager supports automatic rotation of secrets based on a specified schedule, and applications can access the latest version without redeployment.

794
MCQeasy

A company needs to deploy a stateless web application that can handle variable traffic. Which compute option is the most cost-effective and scales automatically?

A.App Engine standard environment with automatic scaling.
B.Google Kubernetes Engine (GKE) with cluster autoscaling.
C.Compute Engine with managed instance groups and autoscaling.
D.Compute Engine with preemptible VMs.
E.Cloud Run with CPU always allocated.
AnswerA

App Engine standard is serverless, cost-effective, and auto-scales.

Why this answer

App Engine standard environment with automatic scaling is the most cost-effective and automatically scales to zero when there is no traffic, making it ideal for variable traffic stateless web applications. It abstracts infrastructure management, charges only for resources used, and handles scaling instantly without provisioning overhead.

Exam trap

Google Cloud often tests the misconception that managed instance groups or GKE are always the best for autoscaling, but the trap here is that for a stateless web app with variable traffic, serverless options like App Engine standard are more cost-effective because they scale to zero and require no infrastructure management.

How to eliminate wrong answers

Option B is wrong because GKE with cluster autoscaling requires managing a Kubernetes cluster, which adds operational overhead and cost for a simple stateless web app, and it does not scale to zero. Option C is wrong because Compute Engine with managed instance groups and autoscaling still requires managing VMs and has a minimum instance count, leading to higher costs and slower scaling compared to serverless options. Option D is wrong because preemptible VMs can be terminated at any time, making them unsuitable for a production web application that needs reliability and consistent availability.

Option E is wrong because Cloud Run with CPU always allocated incurs costs even when the application is idle, whereas the default CPU-throttled mode is more cost-effective for variable traffic.

795
MCQmedium

A team manages a GKE cluster with node pools using different machine types. They plan to upgrade the cluster to a new Kubernetes version. What is the safest upgrade strategy to minimize application downtime?

A.Perform a rolling upgrade by draining all nodes simultaneously.
B.Create a new cluster with the desired version and migrate workloads.
C.Use a surge upgrade to add new nodes before removing old ones.
D.Upgrade the node pool configuration one by one.
AnswerC

Surge upgrade maintains capacity during the upgrade, minimizing disruption.

Why this answer

Option C is correct because a surge upgrade in GKE adds new nodes with the desired Kubernetes version before removing old nodes, ensuring capacity is maintained throughout the process. This minimizes application downtime by allowing pods to be rescheduled onto new nodes before old nodes are drained, following a controlled rolling update pattern that respects PodDisruptionBudgets.

Exam trap

Google Cloud often tests the misconception that draining all nodes simultaneously is a valid rolling upgrade strategy, when in fact it causes complete downtime and violates Kubernetes best practices for workload availability.

How to eliminate wrong answers

Option A is wrong because draining all nodes simultaneously would remove all running pods at once, causing complete application downtime and violating PodDisruptionBudgets if configured. Option B is wrong because creating a new cluster and migrating workloads requires manual or tool-based migration, which introduces significant operational overhead and potential downtime during the cutover, and is not the safest or most efficient strategy for an existing cluster. Option D is wrong because upgrading node pool configuration one by one does not specify a surge or rolling mechanism; without surge, it would drain nodes in the pool sequentially, potentially causing capacity shortages and downtime if the pool is under-provisioned.

796
MCQhard

A company has a multi-region deployment of App Engine and wants to optimize request routing for latency and cost. Which GCP service should they use?

A.Cloud Endpoints.
B.Cloud Load Balancing with global anycast.
C.Cloud DNS with latency-based routing.
D.Cloud Traffic Director.
AnswerB

Global load balancing directs users to the closest healthy backend, minimizing latency and balancing cost.

Why this answer

Cloud Load Balancing with global anycast uses Google's global network and anycast IP addresses to route user traffic to the nearest healthy backend, minimizing latency. It also supports premium tier routing for lower latency and standard tier for lower cost, directly addressing the optimization goals for a multi-region App Engine deployment.

Exam trap

The trap here is that candidates often confuse Cloud DNS latency-based routing (a DNS-level, cache-prone approach) with true anycast-based global load balancing, which provides immediate, health-aware routing without DNS caching delays.

How to eliminate wrong answers

Option A is wrong because Cloud Endpoints is an API management service for securing, monitoring, and managing APIs, not a global load balancer for routing traffic across regions based on latency and cost. Option C is wrong because Cloud DNS with latency-based routing is a DNS-level feature that can direct traffic based on latency, but it lacks the fine-grained health checking, anycast IP, and traffic splitting capabilities of a global load balancer, and DNS caching can cause routing delays. Option D is wrong because Cloud Traffic Director is a traffic management service for service mesh (e.g., with Istio on GKE), not designed for global HTTP(S) load balancing to App Engine; it operates at the service mesh layer, not the edge.

797
MCQmedium

Refer to the exhibit. A user reports that the instance 'batch-vm' is unavailable. Based on the output, what is the most likely cause of the unavailability?

A.The VM was stopped manually by a user.
B.The preemptible VM was terminated by Google due to its preemptible nature.
C.The VM lost its external IP address.
D.The VM crashed due to an out-of-memory error.
AnswerB

Preemptible instances can be terminated at any time, and the status is TERMINATED.

Why this answer

The exhibit shows the instance 'batch-vm' with a status of 'TERMINATED' and the 'preemptible' flag set to 'true'. Preemptible VMs in Google Cloud have a maximum runtime of 24 hours and can be terminated at any time by Google Compute Engine due to resource constraints. The termination reason is typically 'preemption', which matches the scenario of a user reporting unavailability without manual intervention.

Exam trap

Google Cloud often tests the distinction between 'STOPPED' (user-initiated, billable for attached resources) and 'TERMINATED' (preempted or deleted, no longer billable), and candidates confuse preemption with a manual stop or a crash.

How to eliminate wrong answers

Option A is wrong because a manual stop would show the VM status as 'STOPPED' (not 'TERMINATED') and would not be caused by Google's infrastructure; the exhibit does not indicate any user-initiated stop action. Option C is wrong because losing an external IP address does not terminate a VM; the VM would still be running (status 'RUNNING') but inaccessible via that IP, and the exhibit shows the VM as 'TERMINATED'. Option D is wrong because an out-of-memory error would cause the VM to become unresponsive or crash, but the VM would remain in a 'RUNNING' or 'STOPPING' state, not transition to 'TERMINATED'; termination is a distinct lifecycle state typically triggered by preemption, deletion, or explicit stop.

798
MCQhard

A company is running a stateful application on Compute Engine with local SSDs for low-latency writes. They want to perform a rolling update without losing data stored on the local SSDs. Which strategy is MOST appropriate?

A.Perform a rolling update using a managed instance group with a canary target; data on local SSDs will be preserved because the instance is only updated.
B.Use a stateful managed instance group with preserved local SSDs.
C.Snapshot the local SSDs before the update and restore after each instance update.
D.Migrate the application to use persistent disks for data storage, then perform rolling updates.
AnswerD

Persistent disks survive instance termination, enabling rolling updates without data loss.

Why this answer

Local SSDs are ephemeral; data is lost when the instance stops. To persist data, use persistent disks or migrate data to a persistent disk first. Rolling updates with local SSDs will lose data on terminated instances.

The best approach is to change the application to use persistent disks, which survive instance termination.

799
MCQmedium

A company wants to analyze the total cost of ownership (TCO) for migrating their on-premises data center to Google Cloud. They need to compare compute, storage, and network costs, including operational expenses like maintenance and power. Which tool should they use?

A.Google Cloud Pricing Calculator
B.Cloud Billing reports
C.Active Assist cost optimization recommendations
D.Google Cloud TCO Calculator
AnswerD

The TCO Calculator is specifically designed to compare on-prem costs (including operational) with Google Cloud costs.

Why this answer

Google Cloud's TCO calculator allows you to input on-premises infrastructure details and estimate cloud costs, including compute, storage, network, and operational savings. The Pricing Calculator is for estimating cloud costs but does not compare on-prem vs cloud. Active Assist is for optimization recommendations, not TCO analysis.

800
MCQmedium

A company runs a stateful application on GKE that requires persistent storage. They want to ensure that during cluster upgrades, pods are not disrupted and storage is preserved. Which configuration should they use?

A.Enable Cluster Autoscaler on the node pool
B.Use a Deployment with a HorizontalPodAutoscaler
C.Use a StatefulSet with a PodDisruptionBudget
D.Use PersistentVolumeClaims with ReadWriteMany access mode
AnswerC

StatefulSets provide stable persistent storage for each pod, and PodDisruptionBudgets prevent voluntary disruptions during cluster upgrades.

Why this answer

PodDisruptionBudgets (PDBs) ensure that a minimum number of pods remain available during voluntary disruptions like cluster upgrades. PersistentVolumeClaims with ReadWriteOnce access mode allow pods to persist data. Combining PDBs with StatefulSets provides ordered, graceful deployment and scaling while preserving storage.

The cluster autoscaler only adjusts node count, not pod disruptions. HorizontalPodAutoscaler scales pods based on metrics but does not protect against disruptions.

801
MCQhard

A company runs a Bigtable instance for real-time analytics. They notice increasing latency for point reads. The row key pattern is 'YYYYMMDD_userID_productID'. The team suspects read hotspots. Which row key design change would BEST distribute the load across tablets?

A.Prepend a random number field: 'random_YYYYMMDD_userID_productID'
B.Reorder to 'userID_productID_YYYYMMDD'
C.Keep the same order but use a shorter timestamp: 'YYMMDD_userID_productID'
D.Reverse the timestamp: 'DDMMYYYY_userID_productID'
AnswerB

By moving user ID first, reads for a specific user are spread across many tablets. If different users are read concurrently, load is distributed.

Why this answer

Using a field prefix (like user ID) before the timestamp distributes reads across tablets because Bigtable orders rows lexicographically. If the timestamp is first, recent data falls into a single tablet, causing hotspots. Reversing the timestamp or hashing the row key are also common strategies.

Salting with a random prefix is another approach.

802
MCQmedium

A team wants to provide a consistent, low-latency experience for global users accessing static content (images, CSS, JS) hosted on Cloud Storage. They also need to be able to invalidate cached content quickly when updates occur. Which service should they use?

A.Cloud NAT
B.Cloud Load Balancing with backend bucket
C.Cloud Storage transfer service
D.Cloud CDN
AnswerD

Cloud CDN caches static content globally and supports cache invalidation via the console or CLI.

Why this answer

Cloud CDN caches content at edge locations for low latency. Cache invalidation allows purging updated content, which is essential for static assets.

803
MCQmedium

A company is designing a VPC Service Controls perimeter to protect data stored in Google Cloud. They need to allow access from their on-premises network via a Cloud VPN tunnel while blocking all internet-based access. What is the most secure and manageable approach?

A.Configure firewall rules to only allow traffic from the on-premises CIDR to the VPC.
B.Use Cloud VPN and Private Google Access to allow on-premises access without public IPs.
C.Configure a VPC Service Controls perimeter and create an access level that includes the on-premises CIDR range.
D.Use Cloud IAP (Identity-Aware Proxy) to restrict access based on identity and context.
AnswerC

VPC Service Controls with an access level effectively restricts API access to the allowed CIDR, preventing data exfiltration via the internet.

Why this answer

Option C is correct because VPC Service Controls can create a service perimeter that includes the on-premises CIDR via an access level, ensuring data is not exfiltrated to the internet. Option A is wrong because firewall rules do not prevent data exfiltration via API calls. Option B is wrong because IAP is for user identity, not network-level control.

Option D is wrong because Private Google Access does not restrict API access from the internet.

804
Multi-Selecteasy

A company runs a batch processing job that uses preemptible VMs. The job occasionally fails due to VM preemption. They want to improve reliability without significantly increasing cost. Which TWO actions should they take? (Choose TWO.)

Select 2 answers
A.Use a managed instance group with autoscaling and preemptible VMs
B.Use sole-tenant nodes to reduce risk of preemption
C.Switch to regular (non-preemptible) VMs
D.Implement a retry mechanism in the job to re-run failed tasks
E.Increase the number of preemptible VMs
AnswersA, D

MIGs can automatically replace preempted VMs, and autoscaling adds resilience. Preemptible VMs keep costs low.

Why this answer

Using a managed instance group (MIG) with autoscaling and preemptible VMs can automatically recreate instances if preempted. Implementing a retry logic in the application to re-run failed tasks also improves reliability. Using sole-tenant nodes or adding more nodes increases cost or complexity.

Switching to regular VMs increases cost.

805
Multi-Selecthard

A company is moving a legacy application to Compute Engine. The application has inconsistent resource usage and the team wants to optimise costs without performance degradation. They are evaluating committed use discounts (CUDs) and other discount types. Which THREE statements are correct about CUDs? (Choose 3)

Select 3 answers
A.CUDs require a minimum of 10 instances to qualify
B.Spend-based CUDs are applied automatically to all eligible projects in the billing account
C.CUDs cannot be combined with sustained use discounts
D.CUDs provide a discount in exchange for committing to a minimum spend or resource usage for 1 or 3 years
E.Resource-based CUDs apply to a specific machine series and region
AnswersB, D, E

Spend-based CUDs apply at the billing account level.

Why this answer

CUDs offer discounts for 1-year or 3-year commitments. Resource-based CUDs apply to specific machine types in a region. Spend-based CUDs apply to total compute spend.

CUDs can be combined with sustained use discounts, but sustained use discounts are automatic and not required to be purchased.

806
MCQmedium

Refer to the exhibit. A load balancer forwards HTTPS traffic to a target pool with two instances. The health check is configured on port 80 with path /health. Some users report intermittent connection errors. What is the most likely cause?

A.The health check path /health does not exist on the backend instances.
B.The health check is using HTTP but the backend instances only serve HTTPS, causing them to be marked unhealthy.
C.The load balancer's IP address is not reachable from the internet.
D.The instances are in different zones, causing latency.
AnswerB

The health check is configured on port 80 with HTTP, but the load balancer forwards HTTPS (port 443). If the instances only listen on HTTPS (port 443), the health check on port 80 will fail, marking instances unhealthy and causing connection errors.

807
MCQmedium

A team is migrating a monolithic application to microservices on GKE. They want to gradually shift users to the new microservices version while keeping the old monolithic version running. They need to route a small percentage of users based on a cookie. Which traffic management approach should they use?

A.Use Istio VirtualService with match rules based on cookie and weighted destinations
B.Use Kubernetes Services with multiple Deployments and manual scaling
C.Configure an HTTP(S) load balancer with URL maps and backend services
D.Deploy two separate GKE clusters and use DNS-based traffic splitting
AnswerA

Istio supports cookie-based matching and weighted routing, enabling canary deployments.

Why this answer

Istio traffic management allows fine-grained routing based on HTTP headers, cookies, or other attributes. It supports traffic splitting and canary deployments with precise percentage control.

808
MCQhard

A company runs a stateful application on Compute Engine with persistent disks. They want to ensure data durability across a zone failure. What is the best approach?

A.Replicate data at application level to another instance in a different zone
B.Use Google Cloud NetApp Volumes with replication
C.Use regional persistent disks
D.Take regular snapshots of the persistent disks and store them in a multiregional bucket
AnswerC

Regional PDs replicate data across zones with synchronous writes, ensuring durability.

Why this answer

Regional persistent disks (RPDs) synchronously replicate data between two zones in the same region, providing an RPO of zero and automatic failover without application-level changes. This ensures data durability across a zone failure while maintaining consistent performance and low latency.

Exam trap

Google Cloud often tests the distinction between synchronous replication (regional persistent disks) and asynchronous backup (snapshots), leading candidates to choose snapshots for durability when they actually need zero RPO across a zone failure.

How to eliminate wrong answers

Option A is wrong because replicating data at the application level adds complexity, latency, and requires custom code, whereas Compute Engine offers a managed, synchronous replication solution. Option B is wrong because Google Cloud NetApp Volumes is a third-party service that is not natively integrated with Compute Engine for this use case and introduces additional cost and management overhead. Option D is wrong because regular snapshots stored in a multiregional bucket provide point-in-time recovery but have an RPO of minutes to hours and do not offer synchronous replication, so data written between snapshots is lost during a zone failure.

809
MCQhard

A company uses Cloud Bigtable for time-series data. They experience high latency and uneven load distribution across nodes. What is the most likely cause?

A.The data is stored in a single column family
B.The app is using strong reads instead of eventual consistency
C.The table has a single row key pattern that causes hot spotting
D.The cluster has too many nodes
AnswerC

Sequential row keys lead to hot spots.

Why this answer

Cloud Bigtable partitions data by row key range and distributes tablets across nodes. A single row key pattern (e.g., monotonically increasing timestamps) causes all writes to target the same tablet, creating a hot spot. This leads to uneven load distribution and high latency because one node is overwhelmed while others remain idle.

Exam trap

Google Cloud often tests the misconception that column families or read consistency levels are the root cause of performance issues, when in fact row key design is the primary driver of load distribution in Bigtable.

How to eliminate wrong answers

Option A is wrong because storing data in a single column family does not cause uneven load distribution; column families affect storage and read performance but not row key distribution. Option B is wrong because strong reads (read-after-write consistency) add latency but do not cause uneven load distribution across nodes; the issue is about write hot spotting, not read consistency. Option D is wrong because having too many nodes would reduce load per node, not increase latency or cause uneven distribution; the cluster would be over-provisioned, not hot-spotted.

810
MCQhard

A company runs multiple microservices on Cloud Run. Each service uses a Serverless VPC Access connector to connect to a shared Cloud Memorystore for Redis instance (standard tier) in a VPC network. The Redis instance is configured with a firewall rule that allows TCP connections on port 6379 from the VPC connector's subnet (10.8.0.0/28). After a recent code update, the order-service fails to connect to Redis, while the user-service continues to work. The error logs in order-service show 'connection refused'. The engineer verifies that both services use the same VPC connector, the same Redis instance IP, and the same service account. The VPC connector's metrics show no errors. What is the most likely cause?

A.The order-service is deployed in a different region than the Redis instance.
B.The order-service code now attempts to connect to Redis on port 6380.
C.The VPC connector is out of memory.
D.The Redis instance has reached its maximum number of connections.
AnswerB

A port mismatch would cause connection refused only for the affected service, while the firewall rule only permits port 6379.

Why this answer

The order-service successfully connects to the same Redis instance before the code update. After the update, it fails with 'connection refused', while the user-service still works. Since both services share the same networking configuration and the firewall only allows port 6379, the most likely cause is that the order-service code now attempts to connect on a different port (e.g., 6380) that is not allowed by the firewall.

Other options would affect both services or are inconsistent with the symptoms.

811
MCQmedium

A company needs to run a batch job that processes data stored in Cloud Storage. The job runs once per day and takes about 2 hours on 8 vCPUs. Cost is the primary concern, and the job can be interrupted. Which compute option is MOST cost-effective?

A.Standard VM (on-demand)
B.Spot VM
C.Preemptible VM
D.Sole-tenant node
AnswerC

Preemptible VMs offer the lowest cost for fault-tolerant batch jobs.

Why this answer

Preemptible VMs are significantly cheaper than regular VMs and can be interrupted, which is acceptable for this batch job. Spot VMs are similar but with dynamic pricing; however, preemptible VMs are the most cost-effective for short, fault-tolerant workloads. Standard VMs are more expensive.

Sole-tenant nodes are for isolation, not cost savings.

812
MCQmedium

A data engineer needs to analyze data in BigQuery but must mask personally identifiable information (PII) based on user roles. Which service should they use?

A.BigQuery column-level security
B.Cloud Key Management Service
C.Cloud Data Catalog
D.Cloud Data Loss Prevention (DLP)
AnswerA

BigQuery column-level security with data masking can restrict PII based on roles.

Why this answer

BigQuery column-level security with data masking allows conditional masking. Option A provides classification but not role-based masking. Option B is for tokenization but not integrated with BigQuery.

Option D is for data catalog.

813
Multi-Selectmedium

A company runs a web application on Compute Engine behind an HTTP load balancer. They want to improve reliability by implementing failover across two regions. Which TWO actions should they take?

Select 2 answers
A.Deploy a global external HTTP load balancer with backends in both regions.
B.Configure a backend service with a failover policy pointing to primary and secondary backends.
C.Configure DNS-based failover using Cloud DNS with health checks.
D.Use an internal load balancer to route traffic between regions.
E.Use a regional external HTTP load balancer with a multi-region backend.
AnswersA, B

Global load balancer automatically routes to healthy backends, providing cross-region failover.

Why this answer

A global external HTTP load balancer is required for cross-region failover because it uses a single anycast IP address and routes traffic to the closest healthy backend. By deploying backends in both regions, the load balancer automatically fails over to the secondary region if the primary region's backends become unhealthy, improving reliability without DNS propagation delays.

Exam trap

The trap here is that candidates confuse DNS-based failover (which is slow and not recommended for HTTP load balancing) with the instant, anycast-based failover of a global load balancer, or mistakenly think a regional load balancer can span multiple regions.

814
MCQeasy

A developer is writing a Cloud Function that processes files uploaded to a Cloud Storage bucket. Which trigger should they use?

A.HTTP trigger
B.Firestore trigger
C.Cloud Storage trigger
D.Pub/Sub trigger
AnswerC

A Cloud Storage trigger fires on object changes.

Why this answer

Cloud Functions can be triggered by Cloud Storage events such as object finalize, delete, etc.

815
Multi-Selectmedium

Your organization is implementing a Disaster Recovery plan for a critical database. Which THREE components are essential for a robust DR strategy? (Choose 3)

Select 3 answers
A.A single global load balancer for both regions.
B.Automated failover process to switch traffic to the DR region.
C.Data replication strategy (synchronous or asynchronous) to a secondary region.
D.Regular DR drills (testing failover at least once per quarter).
E.Using a single zone for the primary region.
AnswersB, C, D

Automation minimizes manual errors and reduces RTO.

Why this answer

Option B is correct because an automated failover process is essential for minimizing Recovery Time Objective (RTO) in a Disaster Recovery strategy. Without automation, manual intervention introduces delays and risks of human error, which can extend downtime significantly. In cloud or on-premises environments, automated failover typically relies on health checks, DNS updates, or traffic manager rules to seamlessly redirect traffic to the DR region when the primary fails.

Exam trap

Google Cloud often tests the misconception that a single global load balancer provides high availability, when in fact it becomes a single point of failure unless it is itself deployed in a redundant, multi-region architecture.

816
MCQeasy

Which Google Cloud service allows organizations to define perimeters that protect resources and data from exfiltration to other VPCs or networks?

A.Private Service Connect
B.Identity-Aware Proxy (IAP)
C.Cloud Armor
D.VPC Service Controls
AnswerD

VPC Service Controls create service perimeters to protect data from exfiltration.

Why this answer

VPC Service Controls allow you to define service perimeters that restrict access to managed services from outside the perimeter, preventing data exfiltration.

817
Multi-Selecthard

A company uses Terraform to manage infrastructure. They want to store the Terraform state file remotely and enable state locking to prevent concurrent modifications. Which three Google Cloud services or features should they use? (Choose three.)

Select 3 answers
A.Object versioning on the state bucket
B.Cloud Storage
C.Cloud NAT
D.Cloud Shell
E.Cloud KMS
AnswersA, B, E

Versioning enables state history and helps prevent conflicts through generation locking.

Why this answer

Cloud Storage is used as a backend for Terraform state. Object versioning provides history and locking via the storage object's generation number. Cloud KMS can encrypt the state file.

Cloud NAT is for outbound connectivity. Cloud Shell is not required for state management. Secret Manager is for secrets, not state.

818
MCQhard

An organization is migrating a legacy monolithic application to Google Cloud. The application currently runs on a single server with an on-premises database. The application is stateful and requires low-latency access to the database. The migration must minimize downtime and ensure high availability. Which architecture should the company adopt?

A.Deploy on GKE with StatefulSets and use Cloud Spanner for global consistency.
B.Deploy on Compute Engine with a regional persistent disk and use Cloud SQL for PostgreSQL with regional high availability.
C.Deploy on App Engine Standard Environment and use Cloud Firestore in Datastore mode.
D.Deploy on Cloud Run and use Cloud SQL with read replicas.
AnswerB

This provides HA and low-latency access needed for the stateful monolithic app.

Why this answer

Option B is correct because it combines Compute Engine with a regional persistent disk for synchronous replication across zones, ensuring high availability with minimal downtime during a zonal failure. Cloud SQL for PostgreSQL with regional high availability provides a managed, low-latency database with automatic failover, meeting the stateful application's need for low-latency access and high availability without the complexity of container orchestration.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing containerized or serverless options (GKE, Cloud Run, App Engine) without recognizing that a legacy monolithic stateful application with low-latency requirements is best served by a simple, proven VM-based architecture with regional persistent disks and a managed relational database with synchronous replication.

How to eliminate wrong answers

Option A is wrong because GKE with StatefulSets introduces orchestration overhead and potential downtime during cluster upgrades or node failures, and Cloud Spanner, while globally consistent, adds latency and cost overkill for a single-region low-latency requirement. Option C is wrong because App Engine Standard Environment is stateless by design and does not support stateful applications with persistent local storage, and Cloud Firestore in Datastore mode is a NoSQL database that does not provide the relational consistency and low-latency access expected from a legacy monolithic database. Option D is wrong because Cloud Run is stateless and ephemeral, requiring external storage for state, and Cloud SQL with read replicas does not provide synchronous replication for high availability; read replicas are asynchronous and cannot guarantee zero data loss during a failover.

819
MCQmedium

A company uses Cloud Storage to store backup files. They need to retain backups for 7 years and must be able to recover deleted or overwritten files within that period. Which Cloud Storage feature should they enable?

A.Object retention policy
B.Lifecycle management
C.Object versioning
D.Uniform bucket-level access
AnswerC

Versioning keeps all versions, allowing recovery of deleted or overwritten objects.

Why this answer

Object versioning keeps multiple versions of an object, allowing recovery from deletion or overwrite. Object retention policies prevent deletion but do not allow recovery of overwritten versions. Lifecycle management is for automation.

Uniform bucket-level access is for permissions.

820
Multi-Selectmedium

A company is deploying a critical application on GKE and wants to ensure high availability during node upgrades and failures. Which TWO configurations should they implement? (Choose 2.)

Select 2 answers
A.Enable Workload Identity for the service account
B.Configure a PodDisruptionBudget for the deployment
C.Create a multi-zonal node pool to spread nodes across multiple zones
D.Use a HorizontalPodAutoscaler with high target utilization
E.Enable Cluster Autoscaler on the node pool
AnswersB, C

PDB ensures that voluntary disruptions (e.g., upgrades) do not bring all pods down.

Why this answer

PodDisruptionBudgets (PDBs) ensure that a minimum number of pods remain available during voluntary disruptions like node upgrades. Multi-zonal node pools distribute pods across zones, protecting against zone failures. Cluster Autoscaler adds nodes when needed but does not directly ensure availability.

HPA scales pods but does not handle disruptions. Workload Identity is for authentication, not availability.

821
MCQmedium

A company wants to deploy a containerized microservices application on GCP with minimal operational overhead. They need automatic scaling, no node management, and pay only for requested resources. Which compute option is most appropriate?

A.GKE Standard with node auto-provisioning
B.Cloud Run
C.GKE Autopilot
D.App Engine Flexible Environment
AnswerB

Cloud Run is fully managed, no nodes to manage, scales to zero, and billing per request.

Why this answer

Cloud Run is a fully managed serverless container platform that scales automatically, requires no node management, and charges per request.

822
MCQmedium

A company is using Cloud Spanner to serve a global gaming application. They have a single instance in us-central1. Players in Asia experience high latency. The application reads and writes player profiles. The team wants to reduce latency for Asian players while keeping write latency low for global consistency. They need a solution that minimizes operational overhead and uses native Spanner capabilities. What should they do?

A.Configure a multi-region instance configuration that includes us-central1 and an Asian region.
B.Add read replicas in Asia using Spanner's read-only replicas.
C.Use Cloud CDN to cache player profiles at the edge.
D.Create a new instance in asia-east1 and use Directed Read options to route reads from Asia.
AnswerA

Multi-region configuration provides read-write replicas in Asia, reducing both read and write latency.

Why this answer

A multi-region instance configuration in Cloud Spanner is the correct solution because it provides a single writable instance that spans multiple geographic regions, allowing reads and writes to be served locally in each region while maintaining strong global consistency. This minimizes latency for Asian players by enabling local reads and writes, and it uses native Spanner capabilities without additional operational overhead. Option A directly addresses the requirement for low write latency and global consistency by leveraging Spanner's built-in multi-region replication.

Exam trap

The trap here is that candidates may confuse Spanner's multi-region configuration with read replicas or separate instances, not realizing that Spanner's native multi-region setup provides both local reads and writes with strong consistency, unlike other databases that require separate read replicas or caching layers.

How to eliminate wrong answers

Option B is wrong because Spanner does not support read-only replicas; it uses a single writable instance with synchronous replication across regions, and adding read-only replicas is not a native Spanner capability. Option C is wrong because Cloud CDN caches static content at the edge, but player profiles are dynamic, frequently updated data that requires strong consistency, which CDN cannot provide. Option D is wrong because creating a separate instance in Asia would require cross-instance replication and would not maintain global consistency; Directed Read options are for read-only replicas in Bigtable, not Spanner.

823
MCQmedium

A company has Compute Engine instances in us-east1-a and us-east1-b zones. They want to allow communication between these instances with minimal latency and no additional cost. What is the best networking approach?

A.Configure VPC Network Peering between two separate VPC networks.
B.Use a single VPC network that includes both zones.
C.Create a new subnet in each zone and use Cloud NAT.
D.Set up a Cloud VPN between the zones.
AnswerB

Instances in the same VPC network can communicate using internal IPs with low latency.

Why this answer

A single VPC network spans all regions and zones, allowing instances in different zones (us-east1-a and us-east1-b) to communicate using internal IP addresses with low latency and no additional cost. This is because VPC networks provide flat, global networking by default, and traffic between zones within the same VPC uses Google's internal backbone without incurring egress charges.

Exam trap

The trap here is that candidates may overcomplicate the solution by thinking they need separate networks or VPNs for zone-to-zone communication, when in fact a single VPC inherently supports flat, cost-free internal connectivity across zones.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering is used to connect separate VPC networks, which adds complexity and is unnecessary when instances are in the same VPC; it also does not reduce latency or cost compared to a single VPC. Option C is wrong because Cloud NAT is designed for outbound internet access from private instances, not for inter-zone communication, and it would introduce additional latency and cost. Option D is wrong because Cloud VPN is a site-to-site VPN solution for connecting on-premises networks or different VPCs across regions, not for intra-VPC zone-to-zone communication, and it adds latency and cost.

824
MCQmedium

A company runs a critical application on Compute Engine instances in a managed instance group (MIG) with autoscaling. During a traffic spike, some instances become unhealthy but are not automatically replaced. What is the most likely cause?

A.The MIG is regional and one zone failed.
B.The autohealing health check is misconfigured.
C.The instance template has a startup script error.
D.The HTTP load balancer's health check is failing.
AnswerB

MIG autohealing relies on a health check to detect unhealthy instances and replace them; a misconfiguration prevents detection.

Why this answer

The most likely cause is that the autohealing health check is misconfigured. In a managed instance group, autohealing relies on a health check to detect unhealthy instances and trigger replacement. If the health check is misconfigured (e.g., wrong port, path, or protocol), the MIG will not recognize instances as unhealthy and will not automatically replace them, even during a traffic spike.

Exam trap

Google Cloud often tests the distinction between the MIG's autohealing health check and the load balancer's health check, leading candidates to incorrectly attribute instance replacement failures to load balancer issues rather than the MIG's own health check configuration.

How to eliminate wrong answers

Option A is wrong because a regional MIG with a single zone failure would still trigger autohealing in the remaining healthy zones, and the MIG would replace instances in the failed zone if the health check is correctly configured. Option C is wrong because a startup script error would cause instances to fail at boot, but the MIG would still attempt to replace them based on the health check; the issue is not about the template but the detection mechanism. Option D is wrong because the HTTP load balancer's health check is separate from the MIG's autohealing health check; a failing load balancer health check does not prevent the MIG from replacing unhealthy instances if its own health check is properly configured.

825
Multi-Selecteasy

A startup deploys a microservices application on GKE. They need to ensure high availability of the services. Which two strategies should they implement? (Choose TWO.)

Select 2 answers
A.Use horizontal pod autoscaling
B.Use regional persistent disks for stateful components
C.Use node auto-repair
D.Deploy the application across multiple zones in a region
E.Use cluster autoscaler
AnswersB, D

Regional PDs replicate data synchronously across zones.

Why this answer

Option B is correct because regional persistent disks provide synchronous replication across two zones within a region, ensuring that stateful workloads (e.g., databases) remain available even if an entire zone fails. This is critical for high availability of stateful components in a GKE cluster, as it prevents data loss and allows pods to be rescheduled in another zone with the same persistent volume.

Exam trap

The trap here is that candidates often confuse auto-scaling mechanisms (HPA, cluster autoscaler) with high availability, failing to recognize that true HA requires redundancy across failure domains (zones) and persistent storage that survives zone outages.

Page 10

Page 11 of 14

Page 12
Google Professional Cloud Architect PCA Questions 751–825 | Page 11/14 | Courseiva