Google Professional Cloud Architect (PCA) — Questions 826900

1000 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
Multi-Selecteasy

A company uses Cloud Build to automate their CI/CD pipeline. They want to optimize the build process for a Java application. Which three practices should they adopt? (Choose three.)

Select 3 answers
A.Parallelize independent build steps by using Cloud Build's step parallelism or by splitting into multiple builds.
B.Store Maven dependencies in a private repository in Artifact Registry for faster access.
C.Use Docker layer caching with Cloud Build by specifying a cached image.
D.Use a custom build step that downloads all tools from the internet each time.
E.Use a high-CPU machine type (e.g., n1-highcpu-64) for faster compilation.
AnswersA, B, C

Reduces overall build time.

Why this answer

Option A is correct because Cloud Build allows you to define build steps that run sequentially by default, but you can parallelize independent steps by using the `waitFor` field to specify dependencies. This reduces total build time by running non-dependent steps concurrently, which is a key optimization for CI/CD pipelines. Splitting into multiple builds is also a valid approach for parallel execution.

Exam trap

Google Cloud often tests the misconception that you can arbitrarily choose high-CPU machine types in Cloud Build, but Cloud Build does not support custom machine types in its standard configuration—this is a trap where candidates confuse Cloud Build with Compute Engine or other GCP services.

827
Multi-Selectmedium

A company is moving a legacy monolithic application to a microservices architecture on Google Cloud. They want to minimize operational overhead and automatically scale each service independently. Which TWO compute services should they consider? (Choose two.)

Select 2 answers
A.Cloud Run
B.Compute Engine with managed instance groups
C.Google Kubernetes Engine (GKE) Standard
D.Cloud Functions
E.Google Kubernetes Engine (GKE) Autopilot
AnswersA, E

Cloud Run automatically scales each container service independently with zero overhead.

Why this answer

Cloud Run and GKE Autopilot both offer automatic scaling and reduced operational overhead. Cloud Run is serverless for containers; GKE Autopilot manages the cluster infrastructure. Compute Engine requires manual scaling.

Cloud Functions is for functions, not full services. GKE Standard requires node management.

828
Multi-Selectmedium

A company wants to improve the performance of their Cloud SQL for PostgreSQL instance. They notice many idle connections and slow queries. Which THREE actions could help? (Choose 3)

Select 3 answers
A.Add appropriate indexes
B.Add read replicas
C.Use PgBouncer for connection pooling
D.Enable private IP
E.Increase disk size
AnswersA, B, C

Speeds up slow queries.

Why this answer

PgBouncer reduces connection overhead. Read replicas offload read queries. Adding indexes speeds up queries.

Private IP improves security and latency but not performance. Increasing disk size helps if I/O bottleneck, but not connection or query performance.

829
MCQmedium

An application uses Cloud Pub/Sub for asynchronous processing. Subscribers occasionally fail to acknowledge messages within the ack deadline, causing redelivery. How to improve reliability and prevent message buildup?

A.Increase the ack deadline to the maximum value
B.Set max delivery attempts to 1 to avoid redelivery
C.Implement exponential backoff in the subscriber retry logic
D.Use a dead-letter topic to capture failed messages
AnswerC

Exponential backoff allows the subscriber to retry after increasing delays, handling transient failures effectively.

Why this answer

Option C is correct because implementing exponential backoff in the subscriber retry logic allows the subscriber to gradually increase the delay between retries when messages are not acknowledged, reducing the likelihood of overwhelming the system and preventing message buildup. This approach aligns with Cloud Pub/Sub's recommended practices for handling transient failures, as it gives the subscriber time to recover without exhausting the ack deadline or causing excessive redelivery.

Exam trap

Google Cloud often tests the misconception that increasing the ack deadline or using a dead-letter topic alone solves reliability issues, but the key is implementing retry logic with backoff to handle transient failures without losing messages or causing buildup.

How to eliminate wrong answers

Option A is wrong because increasing the ack deadline to the maximum value (e.g., 600 seconds) does not address the root cause of subscriber failures; it only delays redelivery, potentially leading to message buildup if the subscriber never recovers. Option B is wrong because setting max delivery attempts to 1 prevents redelivery entirely, which means any message that fails to be acknowledged will be permanently lost, undermining the reliability of asynchronous processing. Option D is wrong because using a dead-letter topic captures failed messages after all delivery attempts are exhausted, but it does not prevent message buildup during the retry process; it is a last-resort mechanism, not a proactive reliability improvement.

830
Matchingmedium

Match each Google Cloud service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Distribute traffic across instances

Cache content at edge locations

Protect against DDoS and web attacks

Enable outbound internet for private instances

Dedicated connection between on-prem and GCP

Why these pairings

These are core networking services in GCP.

831
Multi-Selectmedium

A data analytics team uses BigQuery to run large queries. They want to reduce query costs. Which three practices should they adopt? (Choose THREE.)

Select 3 answers
A.Use query caching
B.Use clustered tables on commonly filtered columns
C.Partition tables by date
D.Create materialized views for frequent aggregations
E.Always use SELECT * to ensure all columns are available
AnswersB, C, D

Clustering improves query performance and reduces cost by limiting scans.

Why this answer

Option B is correct because clustering tables on commonly filtered columns in BigQuery allows the query engine to prune blocks of data that don't match the filter, reducing the amount of data scanned and thus lowering query costs. This is especially effective when combined with partitioning, as it further narrows the scan to relevant clusters within a partition.

Exam trap

Google Cloud often tests the misconception that query caching is a cost-reduction technique, but candidates must remember that caching only avoids reprocessing identical queries and does not reduce the cost of the initial query or queries with different filters.

832
MCQhard

Your organization uses Cloud Logging to collect logs from all GCP projects. The security team wants to be alerted when a specific IAM policy change (e.g., granting roles/compute.admin to a user) occurs in any project. They need near real-time notification via email and a ticketing system. What should you do?

A.Create a log-based alert in Cloud Logging with a filter for SetIamPolicy and configure a Pub/Sub notification channel. Use a Cloud Function subscribed to that topic to create a ticket in the ticketing system.
B.Use Cloud Asset Inventory to monitor IAM policy changes and set up a notification to Pub/Sub.
C.Export all logs to BigQuery and run a scheduled query every hour to detect changes. If found, send an email using Cloud Scheduler.
D.Create a Cloud Monitoring alert policy based on a metric from the Cloud Audit Logs, with email and SMS notifications.
AnswerA

Log-based alerts can directly send to Pub/Sub; the Cloud Function can create a ticket. Email can also be added as another channel.

Why this answer

Log-based alerts in Cloud Logging can monitor logs for a specific filter (e.g., protoPayload.methodName=SetIamPolicy) and send notifications to multiple channels (email, Pub/Sub). Pub/Sub can then trigger a Cloud Function to create a ticket. Alerting policies can also use log-based metrics.

Cloud Audit Logs logs IAM changes. The correct approach is to create a log-based alert with a Pub/Sub notification channel.

833
Multi-Selecthard

Which THREE options are valid strategies for disaster recovery (DR) in Google Cloud?

Select 3 answers
A.Store hourly snapshots of Compute Engine disks in the same region.
B.Deploy a mirrored environment in another region and use Traffic Director to fail over.
C.Enable Cloud CDN to cache static content from multiple origins.
D.Use a Cloud Storage bucket in a different region with Object Versioning enabled.
E.Configure a cross-region replica for Cloud SQL and promote it during failover.
AnswersB, D, E

Traffic Director can route traffic to the DR environment.

Why this answer

Option B is correct because Traffic Director, based on the xDS API (Envoy), can manage traffic routing across regions. By deploying a mirrored environment in another region and configuring Traffic Director with failover policies, you can redirect traffic to the secondary region if the primary fails, enabling a robust active-passive or active-active DR strategy.

Exam trap

The trap here is confusing high-availability features (like snapshots or CDN) with true disaster recovery, which requires geographic separation and automated failover mechanisms.

834
MCQeasy

A security team wants to receive alerts when a user attempts to grant the 'roles/owner' role to a member outside of the organization's domain. Which log filter should they use to create a log-based metric?

A.Filter on Admin Activity log type with 'protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceName="cloudresourcemanager.googleapis.com" AND NOT protoPayload.request.policy.bindings: member: "example.com"'.
B.Filter on Data Access log type with 'protoPayload.methodName="google.iam.v1.IAMPolicy.SetIamPolicy"'.
C.Filter on Admin Activity logs for 'resource.type="gce_instance" AND protoPayload.methodName="compute.instances.setServiceAccount"'.
D.Filter on System Event logs with a query for 'resource.type="project" AND protoPayload.response.status.code=7'.
AnswerA

This filter catches IAM policy changes where members are not from the allowed domain.

Why this answer

Option B is correct because Cloud Audit Logs for Admin Activity capture all IAM policy changes. The filter checks for setIamPolicy on the project and that the binding includes a member with a domain outside the allowed list. Option A is wrong because Data Access logs do not include admin activity.

Option C is wrong because it only checks for allAuthenticatedUsers. Option D is wrong because it checks for compute instances, not IAM.

835
MCQhard

A company is designing a disaster recovery strategy for a critical application running on Compute Engine with a regional managed instance group (MIG) and an HTTP load balancer. They require an RTO of 10 minutes and RPO of 1 hour. The application state is stored in Cloud SQL for PostgreSQL. What is the most cost-effective approach?

A.Deploy an active-active configuration across two regions using Cloud Spanner
B.Configure a cold standby with a Cloud SQL backup and MIG template in another region
C.Take daily exports of Cloud SQL to Cloud Storage and restore in another region
D.Use Cloud SQL cross-region replica with a warm standby MIG in the secondary region
AnswerD

Cross-region replica keeps data within RPO; warm standby MIG can be promoted within RTO.

Why this answer

Cloud SQL for PostgreSQL supports cross-region replication with a default replication lag typically under 1 hour. For RPO of 1 hour, cross-region replica is sufficient. For RTO of 10 minutes, having a warm standby in another region with a MIG and load balancer configuration that can be promoted quickly meets the requirement.

Full active-active is more expensive; restoring from backups is slower; a cold standby may not meet RTO.

836
MCQhard

A company runs a batch processing workload on Compute Engine that executes nightly. The job is fault-tolerant and can withstand interruptions. The job uses 500 vCPUs and runs for 4 hours each night. Which compute option is MOST cost-effective?

A.On-demand Compute Engine VMs
B.Preemptible VMs
C.Spot VMs
D.Committed use discounts (1-year)
AnswerB

Preemptible VMs are 80% cheaper and ideal for fault-tolerant batch jobs that can be interrupted.

Why this answer

Preemptible VMs are up to 80% cheaper than regular VMs and are ideal for fault-tolerant, interruptible workloads. Committed use discounts require a 1- or 3-year commitment and are not cost-effective if the job runs only a few hours nightly. On-demand instances are the most expensive.

Spot VMs are similar to preemptible but with dynamic pricing; preemptible is simpler and offers fixed discount.

837
MCQeasy

What is the purpose of a Pod Disruption Budget (PDB) in GKE?

A.To automatically scale pods based on CPU usage
B.To distribute pods across different zones
C.To ensure a minimum number of pods are always available during voluntary disruptions
D.To prevent any pod from being terminated
AnswerC

PDBs define the minimum available pods, ensuring high availability.

Why this answer

A PDB limits the number of pods of a replicated application that can be down simultaneously from voluntary disruptions (e.g., node upgrades, cluster autoscaler evictions).

838
MCQhard

A global e-commerce platform uses Spanner for its transactional database. They observe that some transactions are aborted with 'ABORTED' status due to contention. The application retries immediately, but throughput degrades. What design change should they implement to reduce contention?

A.Redesign the schema to use a separate table for frequently updated rows and batch updates using a single transaction
B.Increase the number of nodes in the Spanner instance
C.Use client-side retry with exponential backoff and jitter
D.Change the transaction isolation level to READ UNCOMMITTED
AnswerA

Isolating hot rows reduces lock conflicts; batching updates into a single transaction reduces lock hold time.

Why this answer

Option A is correct because Spanner contention arises when multiple transactions try to update the same row concurrently, causing aborts. By redesigning the schema to use a separate table for frequently updated rows and batching updates into a single transaction, you reduce the number of overlapping locks on hot rows. This minimizes lock conflicts and aborts, improving throughput without changing Spanner's underlying TrueTime-based concurrency control.

Exam trap

The trap here is that candidates confuse horizontal scaling (adding nodes) with solving lock contention, but Spanner's contention is a concurrency control issue, not a capacity issue, so scaling out does not reduce row-level lock conflicts.

How to eliminate wrong answers

Option B is wrong because increasing the number of nodes in Spanner improves storage and throughput capacity but does not reduce lock contention on specific hot rows; contention is a locking issue, not a capacity issue. Option C is wrong because client-side retry with exponential backoff and jitter is a best practice for handling transient failures, but it does not address the root cause of contention—it only makes retries more polite, not less frequent. Option D is wrong because Spanner does not support READ UNCOMMITTED isolation; it uses Serializable isolation (and Stale Reads for read-only queries), and lowering isolation is not possible and would violate consistency guarantees.

839
MCQhard

A multinational corporation must comply with GDPR and requires that all customer data stored in BigQuery be encrypted using customer-managed encryption keys (CMEK) and that the keys are stored in a specific region. Which combination of steps should they take?

A.Enable default encryption at rest in BigQuery and use Organization Policies to restrict key location
B.Create a Cloud KMS key ring and crypto key in the desired region, then associate the BigQuery dataset with the CMEK key using DDL
C.Create a Cloud HSM key, then use Cloud DLP to automatically encrypt the data before loading into BigQuery
D.Use Cloud External Key Manager (EKM) to integrate with an on-premises key management system
AnswerB

This is the standard procedure for CMEK in BigQuery.

Why this answer

BigQuery CMEK requires creating a Cloud KMS key in the desired region and associating it with the dataset using DDL. Default encryption uses Google-managed keys; Cloud DLP is for de-identification; EKM is for on-prem key integration.

840
MCQmedium

An organization is migrating a MySQL database to Cloud SQL. They require automatic failover with zero data loss in the event of a zone outage. Which configuration should they use?

A.Cloud SQL with a cross-region replica.
B.Cloud SQL with automated backups and binary logging.
C.Cloud SQL with a read replica in a different zone.
D.Cloud SQL with high availability (HA) configuration.
AnswerD

HA uses synchronous replication in two zones, providing automatic failover with no data loss.

Why this answer

Option D is correct because Cloud SQL's high availability (HA) configuration uses a synchronous write to a standby instance in a different zone within the same region. This ensures that every transaction committed on the primary is also committed on the standby before acknowledging the client, guaranteeing zero data loss during a zone outage. Automatic failover to the standby occurs with no manual intervention, meeting both the automatic failover and zero data loss requirements.

Exam trap

The trap here is that candidates often confuse a read replica (which uses asynchronous replication and requires manual promotion) with an HA standby (which uses synchronous replication and automatic failover), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because a cross-region replica uses asynchronous replication, which can result in data loss of up to several seconds of transactions during a failover, failing the zero data loss requirement. Option B is wrong because automated backups and binary logging provide point-in-time recovery from a backup, but they do not provide automatic failover; recovery requires manual intervention and can lose transactions committed after the last backup. Option C is wrong because a read replica in a different zone is designed for read scaling, not for automatic failover; promoting a read replica to primary is a manual process and the replica uses asynchronous replication, risking data loss.

841
MCQhard

A company deploys a global application on Cloud Run and uses Cloud SQL for user data. They need sub-10ms read latency for frequently accessed user profiles across regions. Traffic is unpredictable but consistently high. The database must support strong consistency. Which approach meets these requirements?

A.Use Cloud Bigtable with replication across regions
B.Use Cloud Spanner with multi-region configuration
C.Use Cloud SQL with read replicas in each region and enable synchronous replication
D.Use Cloud SQL with cross-region replication and Memorystore cache in each region
AnswerB

Cloud Spanner offers global, strongly consistent reads and writes with low latency, suitable for unpredictable high traffic.

Why this answer

Cloud SQL does not support global scale with strong consistency across regions; cross-region replication is asynchronous. Cloud Spanner provides global, strongly consistent reads with low latency and can handle high unpredictable traffic. Memorystore would add caching but not strong consistency against the database itself.

Bigtable is not strongly consistent across regions.

842
MCQeasy

A company wants to define an SLO for their application's availability. They measure that the application was down for 30 minutes in a 30-day period. What is the availability SLO that they can achieve?

A.99.5%
B.99.9%
C.99.99%
D.99.95%
AnswerB

99.9% allows 43.2 minutes downtime per month; 30 minutes is within that.

Why this answer

Availability = (total time - downtime) / total time. 30 days = 43200 minutes. (43200 - 30) / 43200 = 99.93%. The closest higher but achievable SLO would be 99.9%, because 99.95% would allow only 21.6 minutes downtime. Typically SLOs are stated as 99.9%, 99.95%, etc.

843
MCQhard

A company is designing a VPC architecture for a multi-tenant SaaS platform. Each tenant has isolated workloads that must not communicate with each other. They also need centralized network security and logging. Which VPC design meets these requirements?

A.Dedicated Cloud VPN connections per tenant
B.Use a Shared VPC with separate subnets for each tenant and firewall rules to enforce isolation
C.Single VPC with network tags and IAP tunnels
D.Peered VPCs for each tenant with Cloud NAT
AnswerB

Shared VPC allows centralized control and subnet isolation.

Why this answer

Option A is correct because Shared VPC with separate subnets per tenant and firewall rules for isolation provides centralized management. Option B is wrong because VPC peering requires explicit peering and does not provide isolation easily. Option C is wrong because Cloud VPN is not for multi-tenant isolation.

Option D is wrong because a single VPC without subnets is insecure.

844
MCQeasy

A company runs a critical application on Compute Engine instances in a managed instance group (MIG) with autoscaling. Users report intermittent 503 errors during traffic spikes. Which action should the company take to improve reliability?

A.Change the load balancer from regional to global
B.Configure a health check with a sufficient initial delay (grace period) in the MIG
C.Increase the autoscaling cool-down period from 60s to 120s
D.Increase the maximum number of instances in the MIG
AnswerB

Correct: ensures instances are healthy before traffic is sent.

Why this answer

Intermittent 503 errors during traffic spikes often indicate that new VM instances are being started but are not yet ready to serve traffic, causing the load balancer to forward requests to them prematurely. Configuring a health check with a sufficient initial delay (grace period) in the MIG ensures that newly created instances are given time to fully initialize and pass health checks before they receive traffic, preventing 503 errors. This directly addresses the root cause by allowing the application to become healthy before being added to the load balancer's backend.

Exam trap

Google Cloud often tests the misconception that scaling-related errors are always solved by increasing capacity or adjusting scaling parameters, when in fact the root cause is often a misconfigured health check or insufficient initialization time for new instances.

How to eliminate wrong answers

Option A is wrong because changing the load balancer from regional to global does not address the timing issue of new instances being marked healthy before they are ready; global load balancers improve cross-region routing but do not affect instance readiness. Option C is wrong because increasing the autoscaling cool-down period from 60s to 120s only delays the scaling decision after a scale-out event, but does not prevent the load balancer from sending traffic to instances that are still initializing; the cool-down period controls how often autoscaler evaluates metrics, not instance readiness. Option D is wrong because increasing the maximum number of instances in the MIG allows more capacity but does not fix the problem of instances being added to the backend pool before they are ready; it may even exacerbate the issue by creating more unhealthy instances.

845
Multi-Selectmedium

Which TWO of the following are valid methods to securely access Google Cloud APIs from a Compute Engine instance without managing service account keys?

Select 2 answers
A.Download a service account key file and store it on the instance
B.Attach a custom service account to the instance using the gcloud command
C.Grant the appropriate IAM roles to the instance's service account
D.Use a Cloud KMS key to generate temporary credentials
E.Use the default Compute Engine service account
AnswersB, E

Custom service account can be attached at creation, no keys needed.

Why this answer

The default service account and attaching a custom service account to the instance both provide access via metadata server, no key management. Using a service account key file (B) requires key management. Using Cloud KMS (D) is for encrypting keys, not accessing APIs.

IAM roles (E) are permissions, not method of access.

846
Multi-Selecteasy

A company is building a web application on GKE. They want to automatically scale the number of pods based on HTTP request rate. Which TWO resources should they configure?

Select 2 answers
A.Cluster Autoscaler (Node Auto-scaling)
B.Custom Metrics API (e.g., Stackdriver Adapter)
C.GKE Ingress
D.Horizontal Pod Autoscaler (HPA)
E.Vertical Pod Autoscaler (VPA)
AnswersB, D

To scale on HTTP request rate, you need to expose that metric via the Custom Metrics API so HPA can use it.

Why this answer

Horizontal Pod Autoscaler (HPA) scales pods based on CPU/memory or custom metrics. To scale based on HTTP request rate, they need to expose custom metrics (e.g., from Stackdriver/Cloud Monitoring) via the Custom Metrics API. The Vertical Pod Autoscaler (VPA) adjusts resource requests, not pod count.

Node autoscaler scales nodes, not pods. Ingress is for traffic routing.

847
MCQeasy

A company is using Cloud Storage for backups and wants to minimize costs. The backups are accessed infrequently and can tolerate retrieval delays. Which storage class is most appropriate?

A.Standard
B.Archive
C.Coldline
D.Nearline
AnswerB

Archive is the cheapest option for long-term backups with rare access and retrieval delays acceptable.

Why this answer

Archive storage class is the most cost-effective option for backups that are accessed infrequently and can tolerate retrieval delays. It offers the lowest storage cost among Google Cloud Storage classes, with a default retrieval time of minutes to hours, making it ideal for long-term backup data that does not require immediate access.

Exam trap

Google Cloud often tests the misconception that 'Coldline' is the cheapest storage class, but Archive is actually the lowest-cost option for data that can tolerate retrieval delays of minutes to hours, not just for data that is rarely accessed.

How to eliminate wrong answers

Option A is wrong because Standard storage class is designed for frequently accessed data with no retrieval delay, and its higher cost makes it unsuitable for infrequently accessed backups. Option C is wrong because Coldline storage, while cheaper than Standard, is still more expensive than Archive and has a 90-day minimum storage duration, which may not be optimal for long-term backups with very low access frequency. Option D is wrong because Nearline storage is intended for data accessed less than once a month, but it has a 30-day minimum storage duration and higher cost compared to Archive, making it less cost-efficient for backups that can tolerate retrieval delays.

848
MCQeasy

A company is migrating sensitive customer data to Google Cloud. They need to ensure data is encrypted at rest and in transit. Which Google Cloud service provides a centralized way to manage encryption keys used by Google Cloud services?

A.Cloud HSM
B.Cloud External Key Manager (Cloud EKM)
C.Cloud Key Management Service (Cloud KMS)
D.Secret Manager
AnswerC

Cloud KMS provides centralized management of encryption keys used by Google Cloud services.

Why this answer

Cloud KMS is the correct choice because it provides a centralized, managed service for creating, rotating, and destroying encryption keys used by Google Cloud services. It integrates directly with services like Cloud Storage, BigQuery, and Compute Engine to enforce encryption at rest, and it supports customer-managed encryption keys (CMEK) for granular control. For data in transit, Cloud KMS can be used to manage keys for TLS or application-level encryption, though Google Cloud automatically encrypts all network traffic by default.

Exam trap

Google Cloud often tests the distinction between Cloud KMS as the centralized key management service and Cloud HSM as a hardware-backed option within Cloud KMS, leading candidates to choose Cloud HSM when the question asks for the centralized service.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a hardware security module service that provides dedicated, FIPS 140-2 Level 3 validated hardware for key operations, but it is not the centralized key management service; it is an option within Cloud KMS for higher security requirements. Option B is wrong because Cloud External Key Manager (Cloud EKM) allows you to manage keys outside of Google Cloud using an external key management partner, but it is not a centralized Google Cloud service for managing encryption keys used by Google Cloud services; it is for keys stored externally. Option D is wrong because Secret Manager is designed to store and manage secrets such as API keys, passwords, and certificates, not encryption keys for encrypting data at rest or in transit across Google Cloud services.

849
Multi-Selectmedium

Which TWO are required to allow on-premises hosts to access Google APIs using internal IP addresses (Private Google Access)? (Choose 2)

Select 2 answers
A.A Cloud Interconnect or Cloud VPN connection between on-premises and VPC
B.A Cloud Router instance configured in the on-premises network
C.VPC Service Controls enabled
D.Private Google Access enabled on the subnet that the on-premises traffic will use
E.A private DNS zone for googleapis.com
AnswersA, D

Provides network connectivity between on-premises and GCP.

Why this answer

A Cloud Interconnect or Cloud VPN connection is required to establish private, encrypted connectivity between on-premises hosts and a VPC network. This provides the network path for on-premises traffic to reach Google APIs using internal IP addresses, bypassing the public internet. Without this direct connection, on-premises hosts cannot leverage Private Google Access, which only applies to traffic originating within Google Cloud subnets.

Exam trap

Google Cloud often tests the misconception that a Cloud Router or DNS zone is required for Private Google Access, but the core requirement is simply the private network connectivity (Cloud Interconnect or Cloud VPN) and the subnet-level feature enablement.

850
MCQmedium

A team uses Cloud Functions triggered by Cloud Storage events to process uploaded images. They want to ensure that only HTTP-triggered functions can be invoked from outside the project. Which configuration should they apply?

A.Add a VPC firewall rule to allow only internal traffic
B.Set --ingress-settings=internal-only on the HTTP function
C.Remove the Cloud Storage trigger function's trigger
D.Set --ingress-settings=all on the HTTP function
AnswerB

This restricts invocation to within the project.

Why this answer

For Cloud Functions (1st gen), setting --ingress-settings=internal-only restricts invocation to within the project. For Cloud Functions (2nd gen), using an ingress setting of 'all' allows external invocation; using 'internal-only' blocks external calls.

851
MCQhard

When will the key be automatically rotated?

A.Every 180 days
B.Only when manually triggered
C.Every 30 days
D.Every 90 days
AnswerD

7776000s = 90 days.

Why this answer

The rotationPeriod is 7776000 seconds, which equals 90 days. The nextRotationTime is set to 2024-04-01, 90 days after creation, confirming automatic rotation every 90 days.

852
MCQeasy

A company wants to store backup data that is accessed rarely but must be available for retrieval within minutes. Which Cloud Storage class is appropriate?

A.Standard
B.Nearline
C.Coldline
D.Archive
AnswerB

Low-cost storage for data accessed less than once a month with fast retrieval.

Why this answer

Nearline storage is designed for data accessed less than once a month but requires retrieval within minutes, making it ideal for backup data that needs quick availability. It offers lower cost than Standard storage while still supporting sub-minute retrieval times, aligning with the scenario's access and latency requirements.

Exam trap

Google Cloud often tests the distinction between 'retrieval within minutes' and 'retrieval within hours' to confuse candidates into selecting Coldline or Archive, assuming 'rarely accessed' automatically means the cheapest option, but the key is the specific retrieval time requirement.

How to eliminate wrong answers

Option A is wrong because Standard storage is for frequently accessed data (e.g., multiple times per month) and costs more, making it unsuitable for rarely accessed backups. Option C is wrong because Coldline storage is for data accessed less than once a quarter, with retrieval times that can be minutes to hours, but it is optimized for even colder data than Nearline, and its cost structure (including retrieval fees) is less appropriate for backups needing consistent minute-level access. Option D is wrong because Archive storage is for long-term retention with retrieval times typically in hours (e.g., 1-12 hours), not minutes, and is intended for data that is accessed extremely rarely, such as regulatory archives.

853
MCQeasy

A company wants to run a legacy application on Google Cloud that requires a specific operating system version and kernel tuning. The application is not containerised and cannot be easily modified. Which compute service should they use?

A.Cloud Run
B.App Engine Flexible Environment
C.Google Kubernetes Engine (GKE)
D.Compute Engine
AnswerD

Full VM control, custom OS and kernel settings.

Why this answer

Compute Engine provides full control over the virtual machine, including the OS and kernel parameters, making it ideal for legacy applications that require custom configurations.

854
MCQmedium

Refer to the exhibit. An engineer deploys this Terraform configuration. After deployment, they can SSH into the VM using its public IP. However, they want to restrict SSH access to only a specific IP range (203.0.113.0/24). What change is required?

A.Change the 'source_ranges' in the firewall rule to ['203.0.113.0/24']. The instance already has the required tag.
B.Modify the instance to use a network tag 'restricted-ssh' and update the firewall rule target_tags accordingly.
C.Add a new firewall rule with higher priority allowing SSH from 203.0.113.0/24, and keep the existing rule but change its priority to 100.
D.Update the 'source_ranges' in the firewall rule to ['203.0.113.0/24'] and remove the 'ssh-allowed' tag from the instance.
AnswerA

Correct: Updating the source ranges restricts incoming SSH to the specified IP range.

Why this answer

The firewall rule 'allow-ssh' currently allows SSH from all IPs (0.0.0.0/0) to instances with tag 'ssh-allowed'. To restrict to a specific IP range, the source_ranges must be updated to ['203.0.113.0/24']. The instance already has the tag 'ssh-allowed', so no change to tags is needed.

855
MCQmedium

An e-commerce company uses Cloud SQL for MySQL for their transactional database. During a recent load test, the database experienced high latency under write-heavy workloads. The team needs to improve write performance without changing the application. Which action is most effective?

A.Enable binary logging to improve write performance
B.Increase the machine type of the primary instance
C.Migrate to Cloud Spanner
D.Add multiple read replicas
AnswerB

Scaling up the primary instance provides more CPU and memory for write operations, directly improving write throughput.

Why this answer

Cloud SQL for MySQL supports read replicas for read scalability, but for write-heavy workloads you need a larger machine type (scale up) or use memory optimized. Adding read replicas does not help writes. Enabling binary logging adds overhead.

Vertically scaling (increasing vCPUs and RAM) directly improves write throughput. Using Cloud Spanner would require application changes.

856
Multi-Selecteasy

A DevOps team is deploying a microservices application on Google Kubernetes Engine (GKE). They want to ensure that the pods can securely access Google Cloud APIs (e.g., Cloud Storage) without managing service account keys. Which TWO steps should they take? (Choose two.)

Select 2 answers
A.Create a dedicated GCP service account with necessary roles and bind it to Kubernetes service accounts via Workload Identity.
B.Use the Compute Engine default service account on each node.
C.Use a secrets management solution like HashiCorp Vault to store service account keys and retrieve them at runtime.
D.Enable Workload Identity on the GKE cluster.
E.Store service account keys in a Kubernetes Secret and mount them into pods.
AnswersA, D

This grants minimal required permissions to the workload, following the principle of least privilege, and leverages Workload Identity for secure access.

Why this answer

Option A is correct because Workload Identity allows you to bind a Kubernetes service account to a GCP service account, enabling pods to authenticate to Google Cloud APIs (e.g., Cloud Storage) without managing or storing service account keys. This eliminates the security risk of key leakage and simplifies credential rotation. Option D is correct because Workload Identity must be explicitly enabled on the GKE cluster (using the `--workload-pool` flag or via the console) before the binding can be established.

Exam trap

Google Cloud often tests the misconception that storing keys in Kubernetes Secrets or using node-level default service accounts is acceptable for secure API access, when in fact Workload Identity is the recommended, keyless approach for GKE.

857
MCQmedium

A security admin wants to audit all 'create' and 'delete' operations on Compute Engine instances in a project for the last 90 days. Which type of audit log should they query?

A.Data Access audit logs
B.Admin Activity audit logs
C.System Event audit logs
D.Policy Denied audit logs
AnswerB

Admin Activity logs capture administrative actions like create and delete.

Why this answer

Admin Activity audit logs record all API calls that modify configuration or metadata of resources. They are retained for 400 days by default.

858
MCQmedium

Refer to the exhibit. An engineer deployed this Terraform configuration and can SSH to the instance using the external IP. However, they notice that the instance has a public IP address even though they intended to have no public IP. What change should be made to the configuration to ensure the instance does not get a public IP?

A.Change the metadata key enable-oslogin to FALSE.
B.Remove the entire access_config block from the network_interface configuration.
C.Set access_config = [] instead of leaving it empty.
D.Set the network to a custom VPC that does not have external internet access.
AnswerB

Removing the access_config block prevents Terraform from assigning a public IP.

Why this answer

The access_config block with an empty block (no nat_ip specified) still creates an ephemeral external IP. To disable public IP, the entire access_config block must be removed.

859
MCQhard

A company runs a large-scale data processing pipeline using Dataflow with streaming data from Pub/Sub. They notice increasing costs due to high data shuffle operations. They want to optimize the pipeline performance and cost. Which approach should they take?

A.Use a larger machine type for workers.
B.Increase the number of workers to reduce shuffle.
C.Optimize the pipeline by partitioning data and using Combine transforms.
D.Switch to batch mode overnight.
AnswerC

Partitioning and Combine reduce the amount of data shuffled, lowering cost and improving performance.

Why this answer

Optimizing pipeline logic to minimize shuffle reduces resource usage and cost. Increasing workers or using larger machine types may improve performance but increase cost. Switching to batch mode would lose real-time processing capability.

860
MCQhard

A security team wants to enforce that only container images signed by their internal CI/CD pipeline can run on GKE clusters. They also need to ensure that unsigned images are rejected at admission time. Which combination of services and configurations should they use?

A.GKE PodSecurityPolicy with allowed registries
B.Binary Authorization with Cloud KMS for signing
C.Cloud Build with Container Analysis
D.Artifact Registry vulnerability scanning and IAM roles
AnswerB

Binary Authorization enforces policy that only signed images can run. Cloud KMS provides the cryptographic keys for signing.

Why this answer

Binary Authorization enforces policy by requiring images to be signed by trusted signers (e.g., using Cloud KMS). It integrates with GKE admission control to block unsigned images. Cloud KMS creates and manages signing keys.

Artifact Registry stores signed images but does not enforce policy. Cloud Build can be used to sign images during build, but the enforcement mechanism is Binary Authorization.

861
MCQhard

A company is using Cloud Storage to store sensitive data. They need to enforce that objects are deleted exactly 30 days after creation. Which object lifecycle rule should they configure?

A.AbortIncompleteMultipartUpload after 30 days.
B.Delete action with condition daysFromNonCurrentTime: 30.
C.Delete action with condition age: 30.
D.SetStorageClass to Nearline after 30 days.
AnswerC

Deletes objects 30 days after creation.

Why this answer

Option C is correct because the 'Delete action with condition age: 30' directly instructs Cloud Storage to remove objects 30 days after their creation time. The 'age' condition is measured from the object's creation timestamp, which aligns perfectly with the requirement to delete objects exactly 30 days after creation.

Exam trap

Google Cloud often tests the distinction between 'age' (based on creation time) and 'daysFromNonCurrentTime' (based on versioning status), leading candidates to confuse deletion of current objects with cleanup of older versions.

How to eliminate wrong answers

Option A is wrong because AbortIncompleteMultipartUpload is used to cancel incomplete multipart uploads after a specified number of days, not to delete completed objects. Option B is wrong because 'daysFromNonCurrentTime' applies to non-current object versions in a versioned bucket, not to the creation time of the current object. Option D is wrong because SetStorageClass to Nearline changes the storage class to a colder tier but does not delete the object; it only modifies the cost and retrieval latency.

862
Matchingmedium

Match each GCP networking concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual Private Cloud for isolated network

Regional IP address range within a VPC

Controls ingress/egress traffic

Dynamically exchange routes using BGP

Connect two VPCs privately

Why these pairings

These are fundamental networking concepts in GCP.

863
Multi-Selectmedium

An organization wants to monitor network traffic between VMs in a VPC for troubleshooting. Which TWO services can provide this?

Select 2 answers
A.Cloud Audit Logs
B.Packet Mirroring (Network Intelligence Center)
C.VPC Flow Logs
D.Cloud Monitoring
E.Cloud Logging
AnswersB, C

Provides deep packet inspection.

Why this answer

Packet Mirroring (Network Intelligence Center) is correct because it clones the actual packet contents (headers and payload) from VM instances and forwards them to a collector for deep packet inspection, enabling detailed troubleshooting of network traffic between VMs in a VPC. This service captures full packet data, including application-layer information, which is essential for diagnosing issues like packet loss, latency, or protocol errors.

Exam trap

Google Cloud often tests the distinction between services that capture raw packet data (Packet Mirroring) versus those that only log metadata or metrics (VPC Flow Logs, Cloud Monitoring), leading candidates to mistakenly choose VPC Flow Logs as the sole correct answer when full packet capture is required for deep troubleshooting.

864
MCQmedium

Your company uses Cloud VPN (HA VPN) to connect to Google Cloud. You need to achieve a 99.99% SLA for the VPN connection. What configuration is required?

A.One VPN gateway with four tunnels to different on-premises devices
B.Two VPN gateways, each with two tunnels, totaling four tunnels
C.Two VPN gateways, each with one tunnel, using two different edge availability domains
D.One VPN gateway with two tunnels to the same on-premises device
AnswerB

This is the required configuration for 99.99% SLA.

Why this answer

HA VPN provides a 99.99% SLA when configured with two VPN gateways (each with two tunnels) for a total of four tunnels, and the tunnels are configured to use two different edge availability domains in Google Cloud and two different interfaces on the on-premises VPN device.

865
MCQmedium

A company needs to protect an HTTPS load-balanced web application from OWASP Top 10 attacks, including SQL injection and cross-site scripting. Which GCP service should they enable?

A.Cloud NAT
B.Cloud CDN
C.Identity-Aware Proxy
D.Cloud Armor
AnswerD

Why this answer

Cloud Armor provides WAF capabilities that can be attached to HTTPS Load Balancers to filter requests based on OWASP signatures.

866
MCQmedium

A company is planning a migration from on-premises to Google Cloud. They want to ensure minimal downtime and the ability to roll back quickly if issues arise. Which deployment strategy should they use?

A.Blue/green deployment
B.Big bang migration
C.Phased migration
D.Canary deployment
AnswerC

Phased migration gradually moves parts of the workload, allowing rollback if needed, minimizing downtime.

Why this answer

Phased migration involves moving workloads in stages, allowing testing and rollback at each phase. This minimizes risk and downtime. Blue/green and canary are more suited for application updates, not infrastructure migration.

A big bang migration is high risk.

867
MCQeasy

A developer wants to deploy a stateless web application that automatically scales based on HTTP traffic. The application should be cost-effective and require minimal configuration. Which compute option is best?

A.App Engine Standard Environment
B.Cloud Functions
C.Compute Engine managed instance group
D.Cloud Run
E.Google Kubernetes Engine
AnswerD

Correct. Cloud Run scales automatically and is simple to deploy.

Why this answer

Cloud Run is the best choice because it automatically scales to zero when idle, scales up to handle HTTP traffic spikes, and requires minimal configuration—just deploy a container. It is cost-effective as you pay only for resources used during request processing, and it supports stateless web applications natively without managing servers or clusters.

Exam trap

The trap here is that candidates often confuse Cloud Run with Cloud Functions, thinking both are equivalent for web applications, but Cloud Functions is limited to event-driven triggers and cannot serve a full web app with persistent HTTP connections.

How to eliminate wrong answers

Option A is wrong because App Engine Standard Environment, while serverless, has more restrictive runtime environments and may require code modifications to fit its sandbox, whereas Cloud Run offers more flexibility with any container. Option B is wrong because Cloud Functions is designed for event-driven, short-lived functions, not for a full stateless web application that handles continuous HTTP traffic. Option C is wrong because Compute Engine managed instance groups require manual configuration of autoscaling policies, instance templates, and health checks, and do not scale to zero, leading to higher costs during idle periods.

Option E is wrong because Google Kubernetes Engine requires cluster management, node configuration, and more operational overhead, making it less minimal in configuration compared to Cloud Run's fully managed serverless container platform.

868
MCQhard

A financial services company runs workloads on GKE and wants to ensure only container images that have been approved by the security team can be deployed. The approval process involves signing images after vulnerability scanning. Which GCP service should be integrated with GKE to enforce this policy?

A.Cloud Key Management Service (Cloud KMS)
B.Cloud Build
C.Artifact Registry
D.Binary Authorization
AnswerD

Binary Authorization allows only signed images from approved authorities to be deployed.

Why this answer

Binary Authorization enforces that only signed container images from trusted authorities can be deployed on GKE. It integrates with Cloud KMS for signing and can be configured with attestors.

869
MCQhard

A Cloud Router BGP session is flapping. The logs show 'Interface flapping due to changes in the underlying network'. What is the most likely cause?

A.MTU mismatch across the network path.
B.BGP MD5 authentication failure.
C.Incorrect local AS number in Cloud Router configuration.
D.BGP timer misconfiguration between peers.
AnswerA

MTU mismatch can cause intermittent packet loss, leading to BGP session flapping.

Why this answer

The log message 'Interface flapping due to changes in the underlying network' indicates that the BGP session is unstable because the physical or logical interface is going up and down. An MTU mismatch across the network path can cause packet fragmentation issues, leading to intermittent connectivity and interface flaps as the router detects and recovers from the problem. This is the most likely cause because it directly affects the stability of the underlying network path.

Exam trap

The trap here is that candidates often associate BGP flapping with timer misconfigurations or authentication issues, but the specific log message about 'changes in the underlying network' points directly to a Layer 2 or path-level problem like MTU mismatch, not BGP protocol errors.

How to eliminate wrong answers

Option B is wrong because BGP MD5 authentication failure would generate authentication error messages, not interface flapping logs, and would prevent the session from establishing rather than cause intermittent flaps. Option C is wrong because an incorrect local AS number in Cloud Router configuration would cause a BGP open message error and the session would fail to establish entirely, not flap due to interface changes. Option D is wrong because BGP timer misconfiguration (e.g., hold time or keepalive) would cause the session to time out and reset, but the log specifically mentions 'changes in the underlying network', not timer expiry.

870
MCQhard

You are responsible for incident management for a production service. You want to reduce manual toil during the initial response to common issues like high latency. What is the best approach?

A.Use Cloud Monitoring to trigger a Cloud Function that performs automated checks and rolls back the last deployment if latency spikes.
B.Set up Cloud Monitoring alerts with email notifications to the on-call engineer.
C.Create detailed runbooks and require the on-call to follow them step by step.
D.Enable Cloud Logging and set up a custom dashboard for the on-call.
AnswerA

Automated actions reduce manual toil and speed up response.

Why this answer

Option A is correct because it directly reduces manual toil by automating the initial response to common issues like high latency. Cloud Monitoring triggers a Cloud Function that performs automated checks and, if latency spikes, rolls back the last deployment, eliminating the need for human intervention during the critical first response phase.

Exam trap

Google Cloud often tests the distinction between 'alerting' (which still requires manual action) and 'automated remediation' (which reduces toil), so candidates mistakenly choose options that provide visibility or documentation instead of automation.

How to eliminate wrong answers

Option B is wrong because email notifications alone still require the on-call engineer to manually investigate and respond, which does not reduce toil; it merely alerts them. Option C is wrong because requiring the on-call to follow runbooks step by step still involves manual effort and does not automate the response, leaving toil unchanged. Option D is wrong because enabling Cloud Logging and setting up a custom dashboard provides visibility but does not automate any action, so the on-call must still manually diagnose and respond to the issue.

871
MCQmedium

A cloud architect is designing a CI/CD pipeline for a microservices application. Each service is deployed to Cloud Run. They want to use Cloud Build to automate building and deploying services only when changes occur in their respective directories. Which Cloud Build feature should they configure?

A.Build steps in cloudbuild.yaml
B.Build triggers with included files filter
C.Cloud Build's 'includedFiles' option in the build configuration
D.Artifact Registry triggers
AnswerB

Correct: Cloud Build triggers can filter by file paths to trigger builds only on changes to specific directories.

Why this answer

Cloud Build triggers can be configured with regular expressions to match changed files in specific directories, so builds are only started for relevant changes. Build steps define actions but not triggers; cloudbuild.yaml is the build configuration file; Artifact Registry is a storage service.

872
MCQhard

A company runs a stateful workload on GKE that requires at most one pod per node. They want to survive a zonal failure with minimal downtime. The application can be restarted on a new node. Which configuration should they use?

A.Use a StatefulSet with pod anti-affinity required and a regional cluster
B.Use a Deployment with a PodDisruptionBudget set to maxUnavailable=0
C.Deploy a Deployment with a nodeSelector for one zone
D.Use a DaemonSet with node affinity
AnswerA

StatefulSet provides stable storage and network identity; anti-affinity ensures one pod per node; regional cluster spreads nodes across zones.

Why this answer

A StatefulSet with pod anti-affinity required ensures one pod per node. A regional cluster with nodes in multiple zones allows rescheduling in another zone. A single-zone cluster would not survive a zonal failure.

PDB limits disruption but does not handle zone failure.

873
MCQmedium

A company is designing a microservices architecture on Google Kubernetes Engine (GKE) for a global user base. They require high availability across multiple zones, automatic scaling, and rolling updates without downtime. Which Kubernetes workload resource should they use for each service?

A.StatefulSet with volumeClaimTemplates for persistent storage
B.Deployment with pod anti-affinity rules spread across zones
C.Job for batch processing
D.DaemonSet to ensure one pod per node
AnswerB

Deployments provide rolling updates and replica management; combined with pod anti-affinity, they can ensure pods are distributed across zones for high availability.

Why this answer

Option C is correct because Deployments support rolling updates and pod anti-affinity can spread pods across zones for high availability. StatefulSets are for stateful workloads, DaemonSets for node-level daemons, and Jobs for batch tasks.

874
Multi-Selecthard

A company is designing a highly available web application on Google Cloud. The application consists of stateless compute instances behind a global HTTP(S) Load Balancer. The compute instances must be able to handle sudden spikes in traffic. Which TWO strategies should the company implement? (Choose two.)

Select 2 answers
A.Use Cloud CDN to cache all responses from the application servers.
B.Use a managed instance group with autoscaling based on CPU utilization.
C.Use a single Compute Engine instance in a single zone with a large machine type.
D.Use a global HTTP(S) Load Balancer with backends in multiple regions.
E.Use vertical scaling by selecting a machine type with more vCPUs and memory.
AnswersB, D

Autoscaling handles spikes by adding instances.

Why this answer

Option B is correct because a managed instance group with autoscaling based on CPU utilization automatically adjusts the number of stateless compute instances in response to traffic spikes, ensuring the application can handle sudden load increases without manual intervention. This aligns with the requirement for stateless instances behind a global load balancer, as autoscaling adds or removes instances based on real-time CPU metrics, providing elasticity and high availability.

Exam trap

The trap here is that candidates often confuse caching (Cloud CDN) with compute scaling, or assume vertical scaling (larger machine types) is sufficient for sudden spikes, ignoring the need for horizontal elasticity and multi-zone redundancy in a highly available architecture.

875
MCQmedium

A company wants to automatically move data from Cloud Storage Standard to Nearline after 30 days and to Archive after 90 days. Which approach should they use?

A.Write a custom script using Cloud Functions triggered by Pub/Sub to move objects
B.Use Object Versioning to automatically change storage class
C.Set up a Cloud Storage lifecycle policy with rules to transition to Nearline after 30 days and to Archive after 90 days
D.Enable Requester Pays on the bucket to reduce storage costs
AnswerC

Lifecycle policies automate tiering based on age.

Why this answer

Cloud Storage lifecycle policies can automatically transition objects between storage classes based on age or other conditions. This is the simplest and most cost-effective method. Manually moving data is not practical.

Object versioning helps with retention but not automatic tiering. Requester pays shifts costs but does not move data.

876
Multi-Selectmedium

A company runs a critical application on a Compute Engine instance. They want to ensure that the application remains available even if the instance crashes. Which two GCP features should they use? (Choose two.)

Select 2 answers
A.Regular snapshots of the persistent disk.
B.A load balancer distributing traffic to a single instance.
C.Instance template with automatic restart.
D.Managed Instance Group with autohealing.
E.A Cloud CDN to cache static content.
AnswersC, D

Automatic restart restarts the instance on host failure.

Why this answer

Option C is correct because an instance template with automatic restart enables Compute Engine to automatically restart a VM instance if it crashes or is terminated due to a non-user-initiated failure. This feature is configured at the instance level and ensures that the application recovers quickly without manual intervention, improving availability for a single-instance workload.

Exam trap

The trap here is that candidates often confuse automatic restart (which handles VM crashes) with autohealing (which handles application-level failures), or incorrectly assume a load balancer alone provides high availability without a redundant backend.

877
MCQmedium

Your organization uses Cloud Spanner for a customer database with a 99.999% availability SLA. You need a Disaster Recovery plan that ensures data consistency with zero RPO in case of a region failure. What should you do?

A.Use a single-region instance configuration and enable read replicas.
B.Export the database periodically to Cloud Storage and set up a cross-region load balancer.
C.Configure daily backups and store them in Cloud Storage in a different region.
D.Use a multi-region instance configuration (e.g., nam-eur-asia) for the Spanner instance.
AnswerD

Multi-region configs use synchronous replication across regions, providing automatic failover with zero RPO.

Why this answer

Option D is correct because Cloud Spanner multi-region instance configurations (e.g., nam-eur-asia) provide synchronous replication across multiple regions, ensuring strong global consistency and zero RPO. This architecture uses Paxos-based replication to commit writes only after they are durably stored in a majority of regions, so a region failure does not lose any committed data. The 99.999% availability SLA is met by automatic failover within the multi-region setup without manual intervention.

Exam trap

Google Cloud often tests the misconception that read replicas or periodic exports can achieve zero RPO, but only synchronous multi-region replication (as in Spanner's multi-region configurations) guarantees no data loss during a region failure.

How to eliminate wrong answers

Option A is wrong because single-region instance configurations with read replicas are not supported in Cloud Spanner; Spanner uses writable replicas, not read replicas, and a single-region setup cannot survive a full region failure, thus cannot achieve zero RPO. Option B is wrong because exporting the database periodically to Cloud Storage introduces a non-zero RPO (the time between exports) and does not guarantee data consistency at the point of failure; cross-region load balancers do not handle Spanner's transactional consistency. Option C is wrong because daily backups stored in a different region provide point-in-time recovery with a minimum RPO of 24 hours (or more), not zero RPO, and cannot ensure data consistency for transactions in flight at the time of failure.

878
Drag & Dropmedium

Drag and drop the steps to configure a Cloud Load Balancer with a backend service consisting of Compute Engine instances into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Health checks ensure traffic only goes to healthy instances; URL map defines routing; forwarding rule exposes the IP.

879
MCQhard

An organization needs to comply with FedRAMP High requirements and wants to run workloads in a GCP region that supports these controls. They also need to restrict data movement to only approved services. Which GCP feature should they use?

A.Cloud HSM
B.Assured Workloads
C.Data Access Audit Logging
D.VPC Service Controls
AnswerB

Assured Workloads enables FedRAMP High and ITAR compliance with region and service restrictions.

Why this answer

Assured Workloads provides compliance controls including FedRAMP, and allows creating a folder with specific regulatory requirements. VPC Service Controls can be used within that folder to restrict data movement.

880
MCQmedium

An organization wants to receive alerts when their Cloud SQL instance's CPU utilization exceeds 80% for 5 minutes. They want to send the alert to both email and a Pub/Sub topic for further processing. What should they do?

A.Configure a Cloud Scheduler job to check CPU utilization and publish to Pub/Sub
B.Create a log-based alert for CPU utilization using Logging and route to email and Pub/Sub
C.Create a Cloud Monitoring alerting policy with a metric threshold condition on CPU utilization and add both email and Pub/Sub notification channels
D.Use Cloud Functions to poll the Cloud Monitoring API every minute and send notifications
AnswerC

This is the correct approach. Metric threshold conditions trigger on CPU utilization, and multiple notification channels can be added.

Why this answer

In Cloud Monitoring, an alerting policy can have multiple notification channels (email, Pub/Sub, PagerDuty, SMS). The CPU utilization metric is available via the 'cloudsql.googleapis.com' metric type.

881
MCQeasy

A developer needs to deploy a containerized application on Google Kubernetes Engine (GKE) with minimal operational overhead. They want to automatically scale the number of pods based on CPU utilization. Which GKE feature should they use?

A.Horizontal Pod Autoscaler.
B.Node auto-repair.
C.Vertical Pod Autoscaler.
D.Cluster Autoscaler.
AnswerA

HPA scales pods based on metrics like CPU.

Why this answer

The Horizontal Pod Autoscaler (HPA) is the correct choice because it automatically scales the number of pod replicas in a GKE deployment based on observed CPU utilization (or other custom metrics). This directly meets the requirement of scaling pods with minimal operational overhead, as HPA is a native Kubernetes resource that requires no manual intervention once configured.

Exam trap

Google Cloud often tests the distinction between horizontal scaling (HPA) and vertical scaling (VPA), where candidates mistakenly choose VPA when the question explicitly asks for scaling the number of pods based on CPU utilization.

How to eliminate wrong answers

Option B (Node auto-repair) is wrong because it automatically repairs unhealthy nodes in the node pool, not scales pods based on CPU utilization. Option C (Vertical Pod Autoscaler) is wrong because it adjusts the CPU and memory requests/limits of existing pods (vertical scaling), not the number of pod replicas (horizontal scaling). Option D (Cluster Autoscaler) is wrong because it adds or removes nodes from the cluster based on pod scheduling needs, not directly scaling pods based on CPU utilization.

882
Multi-Selectmedium

A company wants to protect a web application from SQL injection and cross-site scripting (XSS) attacks. They also need to block traffic from specific geographic regions. Which three features of Cloud Armor should they use? (Choose THREE).

Select 3 answers
A.Rate limiting
B.WAF rules
C.Geographic restrictions
D.Cloud CDN
E.Adaptive Protection
AnswersA, B, C

Can mitigate DDoS attacks by limiting request rates.

Why this answer

WAF rules (preconfigured rules for SQLi, XSS), rate limiting (optional), and geographic restrictions (geo-based access control) are all features of Cloud Armor.

883
MCQmedium

A company uses BigQuery for analytics. They have a large partitioned table that is queried frequently. The query performance has degraded over time. Which optimization should they try first?

A.Create a materialized view for each frequent query.
B.Increase the number of slots for the project.
C.Apply clustering on frequently filtered columns.
D.Denormalize the table to reduce joins.
AnswerC

Clustering sorts data, reducing scanned data for filters.

Why this answer

Clustering on frequently filtered columns reorganizes the data within partitions based on the values of those columns, which allows BigQuery to prune blocks more effectively during queries. This directly addresses the performance degradation by reducing the amount of data scanned, without requiring additional storage or compute resources.

Exam trap

Google Cloud often tests the misconception that adding more slots (Option B) is the default performance fix, when in reality the first step should be to reduce data scanned through clustering or partitioning optimization.

How to eliminate wrong answers

Option A is wrong because creating materialized views for each frequent query would increase storage costs and maintenance overhead, and they are not the first optimization to try for a partitioned table with degraded performance; clustering addresses the root cause of excessive data scanning. Option B is wrong because increasing the number of slots only improves concurrency and throughput, not the efficiency of individual queries; it does not reduce the amount of data read per query. Option D is wrong because denormalizing the table to reduce joins is a schema design change that may help with join-heavy workloads, but it does not address the core issue of scanning too many rows in a large partitioned table; clustering is a more targeted and less disruptive first step.

884
MCQeasy

A developer needs to deploy a stateful application that requires persistent storage across pod restarts in Google Kubernetes Engine. Which resource should they use?

A.ConfigMap
B.EmptyDir
C.Secret
D.PersistentVolumeClaim
AnswerD

Provides persistent storage that remains across pod restarts.

Why this answer

A PersistentVolumeClaim (PVC) is the correct resource because it allows a pod to request persistent storage that survives pod restarts. In GKE, a PVC binds to a PersistentVolume (PV), which can be backed by Compute Engine persistent disks, ensuring data remains available even if the pod is rescheduled or restarted.

Exam trap

The trap here is that candidates confuse ephemeral volumes (EmptyDir) with persistent storage, or assume ConfigMaps/Secrets can store application data, when in fact they are for configuration and secrets only.

How to eliminate wrong answers

Option A is wrong because a ConfigMap is used to inject configuration data (e.g., environment variables, files) into pods, not for persistent storage. Option B is wrong because an EmptyDir volume is ephemeral—it is created when a pod starts and is deleted when the pod is removed, so data does not persist across pod restarts. Option C is wrong because a Secret is designed to store sensitive data (e.g., passwords, tokens) and is not a storage volume for application data.

885
MCQhard

A global e-commerce site uses an external HTTPS load balancer with a backend service pointing to a managed instance group. Some users report 503 errors during peak traffic. The backend instances are healthy and not overloaded. What is the most likely cause?

A.The CDN cache is not warming up properly
B.The backend service's health check interval is too short
C.The SSL certificate is expired
D.The load balancer's max rate per backend is configured too low
AnswerD

The load balancer enforces a rate limit at the backend level; exceeding it produces 503.

Why this answer

A 503 error from an external HTTPS load balancer with healthy backends typically indicates that the load balancer is throttling requests. The 'max rate per backend' setting limits the number of requests per second that the load balancer forwards to each backend instance. When this limit is exceeded, the load balancer returns 503 errors even though the instances themselves are not overloaded, which matches the scenario of peak traffic.

Exam trap

Google Cloud often tests the misconception that 503 errors always indicate backend overload or health check failures, when in fact the load balancer's rate limiting configuration can cause 503s with perfectly healthy instances.

How to eliminate wrong answers

Option A is wrong because CDN cache warming affects cache hit ratios and latency, not 503 errors from the load balancer; a cold cache would cause more origin requests but not throttling. Option B is wrong because a health check interval that is too short could cause flapping or false unhealthy status, but the question states backend instances are healthy and not overloaded, so health checks are passing. Option C is wrong because an expired SSL certificate would cause TLS handshake failures (e.g., ERR_CERT_DATE_INVALID) and 502 or connection errors, not 503 errors from the load balancer itself.

886
MCQmedium

A DevOps engineer needs to automate the deployment of a containerized application to Google Kubernetes Engine (GKE) using a CI/CD pipeline. The pipeline should build a Docker image, store it in Artifact Registry, and then deploy it to a GKE cluster. Which two Google Cloud services should be used together to achieve this?

A.Cloud Build and Cloud Run
B.Artifact Registry and GKE alone
C.Cloud Source Repositories and Compute Engine
D.Cloud Build and Cloud Deploy
AnswerD

Correct: Cloud Build builds and pushes the image, Cloud Deploy handles deployment to GKE.

Why this answer

Cloud Build can build the Docker image and push it to Artifact Registry. Cloud Deploy can then deploy the image to GKE using a delivery pipeline. Cloud Run is for serverless containers, not GKE.

Cloud Source Repositories is a code repository, not a deployment service. Compute Engine is not needed for this use case.

887
MCQmedium

A team wants to collect and analyze logs from multiple projects into a centralized BigQuery dataset for long-term retention and SQL querying. They want to exclude health check logs to reduce costs. Which approach should they use?

A.Use Cloud Monitoring to exclude health check logs
B.Create a log metric for health check logs and filter in BigQuery
C.Create a log sink to BigQuery and add a log exclusion filter for health check logs
D.Set up a Cloud Function to delete health check logs from BigQuery
AnswerC

Log sinks export logs to a destination; exclusion filters prevent matching logs from being ingested or exported.

Why this answer

Log sinks can route logs to BigQuery, and exclusion filters can be applied to filter out specific logs before they are ingested.

888
MCQeasy

A company wants to minimize egress costs for data transferred between Compute Engine instances in the same region but different zones. What is the best practice?

A.Use a VPN connection.
B.Use internal IPs and ensure they are in the same VPC.
C.Use Cloud NAT.
D.Use external IPs for all instances.
AnswerB

Internal IP traffic within the same VPC and region is free.

Why this answer

B is correct because data transfer between Compute Engine instances in the same region but different zones uses internal IP addresses within the same VPC, which incurs no egress costs. Google Cloud does not charge for traffic between instances using internal IPs within the same region, regardless of zone, as long as they are in the same VPC network. This is the most cost-effective approach for minimizing egress costs.

Exam trap

The trap here is that candidates often confuse 'different zones' with 'different regions' and assume egress costs apply, or they mistakenly think that using external IPs or NAT is necessary for inter-instance communication, when in fact internal IPs within the same VPC and region are free and optimal.

How to eliminate wrong answers

Option A is wrong because using a VPN connection introduces additional complexity and does not reduce egress costs; VPN traffic still traverses the internet or uses Cloud VPN tunnels, which incur egress charges. Option C is wrong because Cloud NAT is used for outbound internet access from private instances and does not affect inter-instance traffic costs within the same region; it would add unnecessary overhead and potential costs. Option D is wrong because using external IPs for all instances forces traffic to go through the internet or Google's external network, incurring egress charges even within the same region, which is the opposite of minimizing costs.

889
Multi-Selectmedium

A data engineering team wants to ingest streaming data from Pub/Sub, transform it using Apache Beam, and load it into BigQuery for real-time analytics. They need a fully managed solution that handles autoscaling and does not require managing servers. Which TWO Google Cloud services should they use?

Select 2 answers
A.Cloud Dataproc
B.Cloud Dataflow
C.Cloud Dataprep
D.Cloud Composer
E.Cloud Pub/Sub
AnswersB, E

Dataflow runs Beam pipelines with autoscaling and serverless processing.

Why this answer

Dataflow is the fully managed service for executing Apache Beam pipelines, with autoscaling and serverless execution. Pub/Sub is the ingestion service. Cloud Composer is Airflow, not streaming; Dataproc is for Spark/Hadoop; Dataprep is for data preparation.

890
MCQmedium

A company runs a critical application on Compute Engine with a 1-year commitment for cost savings. They want to also optimize for performance by using machine types with more memory. They plan to update to a different machine series during the commitment term. Which committed use discount type allows this flexibility?

A.Preemptible discount
B.Sustained use discount
C.Spend-based committed use discount
D.Resource-based committed use discount
AnswerC

Spend-based discounts provide commitment to a dollar amount, allowing flexible selection of machine types as long as the spend is maintained.

Why this answer

Spend-based committed use discounts apply to a dollar amount of spend on eligible instance types, allowing flexibility to change machine types as long as the spend commitment is met. Resource-based committed use discounts are tied to specific machine types (e.g., n1-standard-4) and cannot be changed without breaking the commitment.

891
MCQhard

Refer to the exhibit. A Deployment Manager template deploys a GKE cluster and a job that publishes to Pub/Sub. The job fails with a permission error. Which change would fix the issue?

A.Set the job's serviceAccountName to the default compute service account.
B.Change the oauthScopes to include https://www.googleapis.com/auth/cloud-platform.
C.Add dependsOn: [my-job] to the cluster resource to ensure the cluster is ready.
D.Add a serviceAccount field to nodeConfig with a custom service account that has roles/pubsub.publisher.
AnswerD

This ensures the nodes (and thus the job) have the required Pub/Sub publish permission.

Why this answer

The node pool's service account needs the Pub/Sub Publisher role. The exhibit shows the nodes are using the default compute engine service account with only pubsub scope (no roles). The fix is to assign a service account with the necessary IAM role.

892
MCQhard

A company runs a microservices application on GKE Autopilot. They want to implement canary deployments where a new version of a service receives 10% of traffic. Which approach should they use?

A.Use Istio VirtualService to split traffic between two subsets of the same Service
B.Use a Kubernetes Service with label selectors pointing to two Deployments (stable and canary) and scale the number of replicas to achieve 10% traffic
C.Deploy the canary version using a separate Service with a different DNS name and configure the application to split traffic
D.Use Cloud Deploy with a rollout strategy that sets traffic percentage to 10% for the canary
AnswerB

This is a standard Kubernetes canary pattern: a Service routes traffic to pods matching labels from both Deployments. By scaling replicas, you can approximate traffic percentage.

Why this answer

GKE Autopilot supports canary deployments using Kubernetes native features like multiple Deployments with a Service selector using a common label, and adjusting replica counts to control traffic. Istio or Traffic Director are not required. Cloud Deploy can be used but the simplest approach is to use a single Kubernetes Service with label selectors pointing to both Deployments and scaling replicas.

893
MCQmedium

A company is running a containerized application on Cloud Run and needs to handle long-running requests that may exceed Cloud Run's default timeout. They also need to use WebSocket connections. What should they do?

A.Use Cloud Functions with a HTTP trigger and increase the timeout to 60 minutes.
B.Deploy the application on Google Kubernetes Engine (GKE) with a NodePort service to handle WebSocket natively.
C.Move WebSocket connections to Compute Engine and adjust Cloud Run timeout to 60 minutes for long requests.
D.Increase the Cloud Run container timeout to the maximum (60 minutes) and enable WebSocket support by setting an environment variable.
AnswerC

Cloud Run timeout can be set to up to 60 minutes; WebSocket is not supported, so use Compute Engine for WebSocket.

Why this answer

Cloud Run allows configuring request timeout up to 60 minutes. However, WebSocket support is limited; Cloud Run does not support WebSocket connections natively. For WebSocket, they should consider GKE or Compute Engine.

Thus, the correct answer is to adjust Cloud Run timeout max and move WebSocket to another service.

894
MCQeasy

An organization needs to meet a RTO of 1 hour for a critical application running on GCE with persistent disks. What is the most cost-effective approach?

A.Use regional persistent disks.
B.Replica of compute instance in another zone.
C.Frequent disk image exports.
D.Regular snapshots to a regional bucket.
AnswerA

Synchronous replication, fast failover.

Why this answer

Regional persistent disks (PD) provide synchronous replication of data between two zones in the same region, enabling automatic failover for a GCE instance without manual intervention. This meets the 1-hour RTO by allowing the instance to be recreated or failed over to the secondary zone quickly, and it is more cost-effective than maintaining a full replica instance because you only pay for the disk storage and replication, not for an idle compute instance.

Exam trap

The trap here is that candidates often confuse regional persistent disks with snapshots or image exports, assuming that any backup method can meet a strict RTO, but they overlook the synchronous replication and automatic failover capability of regional PDs that make them the most cost-effective for this requirement.

How to eliminate wrong answers

Option B is wrong because maintaining a replica of the compute instance in another zone incurs additional compute costs for the idle replica, which is less cost-effective than using regional PDs that only replicate the disk. Option C is wrong because frequent disk image exports are time-consuming (exporting an image can take longer than 1 hour) and incur storage costs for each image, making it impractical for a 1-hour RTO and not cost-effective. Option D is wrong because regular snapshots to a regional bucket provide asynchronous backup, not synchronous replication; restoring from a snapshot requires creating a new disk and instance, which can exceed the 1-hour RTO due to snapshot export and disk creation times.

895
MCQhard

An organization has deployed a multi-region Cloud Spanner instance for a global application. The application is experiencing high latency for read requests from a specific region. The team has verified that the application is using stale reads and the data distribution is even. What is the most likely cause of the high latency?

A.The number of read replicas in the region is insufficient to handle the read volume.
B.The Spanner instance has too few nodes, causing contention.
C.The application is using read-write transactions instead of read-only transactions.
D.The Spanner instance does not have a read replica in a location close to the clients.
AnswerD

Adding a read replica in the region reduces network round-trip time, lowering read latency.

Why this answer

Option D is correct because Cloud Spanner uses a single global configuration with regional read replicas. If the instance does not have a read replica in the region where the clients are located, read requests must traverse the network to a replica in another region, causing higher latency. Even with stale reads, the physical distance to the nearest replica directly impacts read latency.

Exam trap

Google Cloud often tests the misconception that adding more nodes or read replicas solves regional latency, when the real issue is the absence of a local replica in the specific region.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner does not have a concept of 'read replicas' in the same way as traditional databases; it uses a single set of nodes per instance, and read capacity scales with the number of nodes, not with separate read replicas. Option B is wrong because the team has verified that data distribution is even, and the question states the issue is specific to a region, not global contention; too few nodes would cause high latency across all regions, not just one. Option C is wrong because the team has already verified that the application is using stale reads, which are read-only transactions by definition; read-write transactions would not be used in this scenario.

896
MCQmedium

A company has a Cloud SQL for MySQL instance with automated backups enabled. They need to recover the database to a specific point in time within the last hour. Which feature should they use?

A.Failover replica
B.Point-in-time recovery (PITR)
C.Automated backup restore
D.Import using the mysqldump file
AnswerB

PITR allows restoring to any point within the retention period.

Why this answer

Point-in-time recovery (PITR) restores a Cloud SQL instance to a specific time, using binary logs. Automated backups alone restore to the backup time, not arbitrary points. Failover replica is for high availability.

Import is for loading data from a file.

897
MCQmedium

An organization requires that all container images deployed to GKE be signed and verified before deployment. Which GCP service should be used?

A.Container Registry vulnerability scanning
B.Binary Authorization
C.Cloud Build
D.Artifact Registry
AnswerB

Binary Authorization enforces attestation-based policies for deploying only signed container images.

Why this answer

Binary Authorization enforces deployment policies that require images to be signed by trusted authorities (e.g., using Cloud KMS) and verified before being deployed to GKE.

898
MCQeasy

A startup wants to run a containerized web application that scales to zero when not in use and charges only for request processing time. Which compute service is most appropriate?

A.Google Kubernetes Engine (Autopilot)
B.Compute Engine with preemptible VMs
C.Cloud Run
D.App Engine Standard
AnswerC

Cloud Run is a serverless container platform that scales to zero when idle, charging only for request processing and compute time.

Why this answer

Cloud Run is a fully managed serverless container platform that scales down to zero and charges per request, making it ideal for variable workloads that need to minimize cost when idle.

899
Multi-Selecthard

Which THREE are valid Google Cloud Dedicated Interconnect connection options?

Select 3 answers
A.High availability (HA) with two 10 Gbps circuits.
B.10 Gbps single circuit.
C.IPsec VPN tunnel as a backup to the interconnect.
D.Partner Interconnect offering via a service provider.
E.100 Gbps single circuit.
AnswersA, B, E

HA option provides redundancy.

Why this answer

Option A is correct because Google Cloud Dedicated Interconnect supports high availability configurations using two 10 Gbps circuits to provide redundancy and meet SLA requirements. This setup ensures that if one circuit fails, traffic can be rerouted through the other, maintaining connectivity.

Exam trap

Google Cloud often tests the distinction between Dedicated Interconnect and Partner Interconnect, and the fact that IPsec VPN is a separate backup option, not a connection type for Dedicated Interconnect.

900
MCQhard

An organization wants to implement a canary deployment in GKE, directing 5% of traffic to a new version and 95% to the stable version. They want to use Google Cloud's managed service mesh for traffic splitting. Which approach should they use?

Answer options not yet available.

Why this answer

Anthos Service Mesh (based on Istio) can be used for fine-grained traffic splitting using VirtualService and DestinationRule resources. Cloud Deploy also supports canary deployments but is primarily for continuous delivery, not traffic splitting at the mesh level. For managed service mesh, Anthos Service Mesh is the correct choice.

Page 11

Page 12 of 14

Page 13