Google Professional Cloud Architect (PCA) — Questions 76150

509 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQeasy

A company deploys a stateful workload using StatefulSets on GKE. They want to ensure that if a pod is evicted, its persistent volume claim (PVC) is reattached to the replacement pod in the same zone. Which configuration achieves this?

A.Use a StatefulSet with a volumeClaimTemplate referencing a persistent disk in the same zone.
B.Use a Deployment with a PVC that has allowedTopologies restricting to the desired zone.
C.Use a Deployment with a persistent volume that is manually attached after pod creation.
D.Use a StatefulSet with a persistent disk that has access mode ReadOnlyMany.
AnswerA

StatefulSet ensures stable pod identity and PVC reattachment; zone affinity ensures the disk is in the same zone.

Why this answer

StatefulSets are designed for stateful workloads and guarantee stable network identities and persistent storage. When a pod is evicted, the StatefulSet controller ensures the replacement pod uses the same PVC, which is bound to a GCE Persistent Disk in the same zone as the original pod, provided the volumeClaimTemplate specifies a disk in that zone. This maintains data locality and avoids cross-zone reattachment.

Exam trap

Google Cloud often tests the misconception that Deployments can handle stateful workloads with persistent storage, but they lack the ordinal identity and PVC reattachment guarantees that StatefulSets provide for zone-pinned recovery.

How to eliminate wrong answers

Option B is wrong because Deployments do not guarantee stable pod identities or PVC reattachment to the same zone; allowedTopologies can restrict where a PVC is created but do not ensure the replacement pod reuses the same PVC after eviction. Option C is wrong because manually attaching a persistent volume after pod creation is not automated and defeats the purpose of a self-healing, declarative Kubernetes setup. Option D is wrong because ReadOnlyMany access mode allows multiple pods to read the same volume but does not ensure zone-pinned reattachment or single-pod write access, and StatefulSets typically use ReadWriteOnce for stateful workloads.

77
MCQmedium

A DevOps team is building a CI/CD pipeline for a microservices application deployed on Google Kubernetes Engine. They want to ensure that each microservice can be deployed independently without affecting other services. Which strategy should they use?

A.Implement canary deployments with a service mesh such as Istio and use separate Cloud Build triggers per microservice.
B.Use blue/green deployments with a global load balancer to switch traffic.
C.Use Cloud Deploy with rollout strategies and keep all microservices in the same GKE namespace.
D.Create a single monolithic pipeline that deploys all microservices simultaneously.
AnswerA

Canary releases with service mesh enable fine-grained traffic management per microservice.

Why this answer

Option A is correct because it combines canary deployments with a service mesh (Istio) to gradually shift traffic to a new version of a single microservice, ensuring independent deployment without impacting other services. Separate Cloud Build triggers per microservice allow each service to be built and deployed independently, aligning with the microservices architecture's requirement for decoupled release cycles.

Exam trap

Google Cloud often tests the distinction between deployment strategies that affect the entire application (blue/green, global load balancer) versus those that allow per-service granularity (canary with service mesh), and candidates may mistakenly choose blue/green because it is a well-known pattern, ignoring the requirement for independent microservice deployments.

How to eliminate wrong answers

Option B is wrong because blue/green deployments with a global load balancer are typically used for switching traffic between entire application versions, not for independently deploying individual microservices; this approach would require coordinating all services together, violating the independence requirement. Option C is wrong because keeping all microservices in the same GKE namespace does not prevent cross-service impact during deployment; Cloud Deploy's rollout strategies apply to the entire set of services in that namespace, not per microservice. Option D is wrong because a single monolithic pipeline that deploys all microservices simultaneously directly contradicts the goal of independent deployment; any failure or change in one service would block or affect all others.

78
MCQeasy

A company is using Cloud NAT to allow private instances to access the internet. They notice that outbound connections are failing intermittently. What is the most likely cause?

A.The private instances are using the wrong DNS server.
B.The VPC firewall rules are blocking egress traffic.
C.Cloud NAT does not support TCP connections.
D.The number of concurrent connections exceeds the Cloud NAT source port capacity for the assigned NAT IPs.
AnswerD

Cloud NAT has limited ports per public IP; exhaustion causes intermittent drops.

Why this answer

Cloud NAT uses source network address translation (SNAT) to map private instance IPs to a single public IP address. Each NAT IP has a limited pool of source ports (typically 64,512 per IP for TCP/UDP). When concurrent connections exceed this capacity, new outbound connections are dropped, causing intermittent failures.

This is the most likely cause given the symptom of intermittent failures.

Exam trap

The trap here is that candidates confuse intermittent failures with firewall misconfigurations or DNS issues, but the key clue is 'intermittent'—which points to a resource exhaustion problem like port capacity, not a static policy or configuration error.

How to eliminate wrong answers

Option A is wrong because DNS server misconfiguration would cause name resolution failures, not intermittent connection drops after resolution; Cloud NAT operates at the network layer and is independent of DNS. Option B is wrong because VPC firewall rules blocking egress traffic would cause consistent, not intermittent, failures; the question states failures are intermittent, which points to resource exhaustion rather than a static rule. Option C is wrong because Cloud NAT explicitly supports TCP, UDP, and ICMP connections; it performs SNAT for all these protocols.

79
Multi-Selectmedium

Which TWO statements about Google Cloud VPC firewall rules are correct? (Choose two.)

Select 2 answers
A.Firewall rules are stateless and require explicit rules for return traffic.
B.Firewall rules allow you to specify both source and destination IP ranges.
C.Default VPC has firewall rules that block all ingress traffic.
D.Firewall rules cannot be applied to instances by service account.
E.Hierarchical firewall policies can be applied to the organization, folder, or project level.
AnswersB, E

Rules can have source and destination filters.

Why this answer

Option B is correct because Google Cloud VPC firewall rules are stateful and allow you to specify both source and destination IP ranges in a single rule. This enables granular control over traffic direction, such as allowing ingress from a specific source CIDR to a specific destination CIDR within the VPC.

Exam trap

Google Cloud often tests the misconception that firewall rules are stateless or that the default VPC blocks all ingress, when in fact Google Cloud VPC rules are stateful and the default VPC allows specific ingress traffic (ICMP, RDP, SSH) from any source.

80
MCQhard

A company runs a batch processing workload on Compute Engine instances. The workload is triggered every hour and runs for about 10 minutes. They want to reduce costs. They currently use preemptible VMs, but they notice that sometimes the workload fails because VMs are preempted before completion. They need a cost-effective solution that ensures the workload completes reliably. What should they do?

A.Increase the machine size of the preemptible VMs to finish faster.
B.Provision a commitment-based discount for standard VMs.
C.Use standard (non-preemptible) VMs to avoid preemption.
D.Create a custom machine type with minimal resources and use a managed instance group with preemptible VMs, combined with a startup script that retries on failure.
AnswerD

Custom machine types match the exact resource needs, avoiding waste. Preemptible VMs are cheap, and the managed instance group will recreate VMs if preempted. A startup script that retries ensures reliability.

Why this answer

Option D is correct because it combines the cost savings of preemptible VMs with reliability through a managed instance group (MIG) and a retry startup script. The MIG automatically recreates VMs if preempted, and the startup script ensures the batch workload restarts from where it left off or retries the entire job, guaranteeing completion at minimal cost.

Exam trap

The trap here is that candidates assume standard VMs are the only reliable option, overlooking that managed instance groups with preemptible VMs and retry logic provide both reliability and cost savings.

How to eliminate wrong answers

Option A is wrong because increasing machine size does not prevent preemption; preemptible VMs can be terminated at any time regardless of size, and larger machines may actually increase cost without solving the reliability issue. Option B is wrong because commitment-based discounts (e.g., 1-year or 3-year commitments) require a sustained usage baseline, but this workload runs only 10 minutes per hour, making commitments cost-ineffective and inflexible. Option C is wrong because while standard VMs avoid preemption, they are significantly more expensive than preemptible VMs, and the goal is a cost-effective solution, not just reliability.

81
MCQhard

You are designing a high-availability architecture for a global e-commerce platform that uses Cloud SQL for MySQL as the primary database. The application writes to a single Cloud SQL instance in us-central1 and reads from read replicas in us-central1 and us-west1. During a recent regional outage in us-central1, the primary instance became unavailable, and the application experienced full downtime for 3 hours because the failover to a read replica was not automatic. The application can tolerate up to 10 minutes of data loss but needs to recover within 30 minutes. You need to automate failover to a geographically distant region with minimal manual intervention. The application's connection string must not change. Which solution meets these requirements?

A.Set up a Cloud SQL for MySQL high-availability configuration across zones within us-central1
B.Create a cross-region read replica in us-west1, use a Cloud Load Balancing with a static IP that maps to the primary or promoted replica, and automate monitoring and failover via Cloud Functions
C.Configure an external read replica in us-west1 and manually promote it using gcloud commands during an incident
D.Enable automatic failover by creating a Cloud SQL for MySQL regional failover replica in us-central1
AnswerB

Correct: cross-region replica with load balancer and automation meets RTO and RPO.

Why this answer

Option B is correct because it uses a cross-region read replica in us-west1 combined with a static IP via Cloud Load Balancing, which allows the connection string to remain unchanged after failover. Cloud Functions automate the monitoring and promotion of the replica, meeting the 30-minute recovery and 10-minute data loss tolerance. This design ensures failover to a geographically distant region with minimal manual intervention, unlike single-zone or same-region HA configurations.

Exam trap

The trap here is that candidates often confuse zonal high-availability (HA) with cross-region disaster recovery, assuming that a regional failover replica (Option D) provides geographic redundancy, when in fact it only spans zones within the same region.

How to eliminate wrong answers

Option A is wrong because a high-availability configuration across zones within us-central1 does not provide failover to a geographically distant region; it only protects against zonal failures, not a full regional outage. Option C is wrong because manually promoting an external read replica using gcloud commands during an incident does not meet the requirement for automated failover with minimal manual intervention, and it would likely exceed the 30-minute recovery time. Option D is wrong because a regional failover replica in us-central1 is still within the same region and cannot recover from a regional outage; it only provides zonal HA within that region.

82
MCQeasy

An organization needs to ensure that only Compute Engine instances with a specific label can access a Cloud Storage bucket. Which policy type should be used?

A.Organization policy
B.Firewall rule
C.IAM policy
D.Signed URL
AnswerC

IAM conditions can enforce label-based access to Cloud Storage.

Why this answer

IAM policies are the correct mechanism to control access to Cloud Storage buckets based on identity and conditions. By attaching an IAM policy to the bucket with a condition that checks for a specific label on the requesting Compute Engine instance (e.g., using `resource.labels.tag`), you can restrict access to only those instances that have that label. This is the native Google Cloud way to implement attribute-based access control (ABAC) for storage resources.

Exam trap

The trap here is that candidates often confuse IAM conditions with Organization policies or firewall rules, thinking that network-level controls can enforce label-based access to Cloud Storage, when in fact only IAM with conditions can evaluate resource metadata like labels at the API level.

How to eliminate wrong answers

Option A is wrong because Organization policies are used to enforce constraints on all resources within an organization (e.g., disabling service creation), not to grant or deny access to individual resources like a Cloud Storage bucket based on instance labels. Option B is wrong because Firewall rules control network traffic at the VPC level (IP addresses, ports, protocols) and cannot evaluate instance labels or grant access to Cloud Storage, which is a global service accessed via HTTPS. Option D is wrong because Signed URLs provide time-limited access to specific objects in a bucket without requiring authentication, but they cannot restrict access based on the requesting instance's labels; they are designed for sharing objects externally, not for internal access control.

83
MCQhard

Your company runs a containerized microservices application on Google Kubernetes Engine (GKE) with a regional cluster. The application consists of a frontend service, a backend API service, and a background worker service that processes messages from Cloud Pub/Sub. The worker service uses a Deployment with 3 replicas. Recently, the team noticed that the worker service is frequently failing with 'ContainerCreating' errors. The error message in the pod events is: 'Failed to pull image "gcr.io/my-project/my-worker:latest": rpc error: code = DeadlineExceeded desc = context deadline exceeded'. The image is stored in Container Registry in the same project. The cluster nodes are n1-standard-2 VMs with 10 GB of disk space. The team has confirmed that the image exists and that the nodes have internet access. What is the most likely cause of the issue?

A.The worker pods require node affinity to a specific node pool that is not configured.
B.The nodes have insufficient disk space to pull the new image, causing the pull to time out.
C.The nodes do not have the necessary permissions to access Container Registry.
D.The cluster is a regional cluster, but the worker pods are all scheduled in the same zone, causing resource contention.
AnswerB

With 10 GB disk and multiple images, disk may fill up, leading to failed pulls.

Why this answer

The error 'context deadline exceeded' when pulling an image indicates that the kubelet timed out while trying to download the container image. With only 10 GB of disk space on n1-standard-2 nodes, the node's disk may be nearly full, causing the image pull to stall or fail due to insufficient space to unpack the layers. This is the most likely cause because the image exists and internet access is confirmed, ruling out authentication or connectivity issues.

Exam trap

Google Cloud often tests the distinction between image pull errors that are due to permissions (e.g., 'unauthorized') versus resource exhaustion (e.g., disk full), and candidates mistakenly assume internet connectivity or permissions are the issue when the error message explicitly mentions a deadline exceeded.

How to eliminate wrong answers

Option A is wrong because node affinity is used to constrain pod scheduling to specific nodes, but the error is about pulling an image, not scheduling; the pods are already being created but fail during container setup. Option C is wrong because if nodes lacked permissions to access Container Registry, the error would be 'unauthorized' or 'access denied', not a deadline exceeded timeout; the team confirmed the image exists and nodes have internet access. Option D is wrong because a regional cluster distributes pods across zones by default, and even if all pods were in one zone, resource contention would manifest as 'Unschedulable' or 'CPU/memory pressure', not a pull timeout.

84
MCQeasy

A company uses Cloud Storage for backup data. They want to protect against accidental deletion. Which option is best?

A.Enable object versioning.
B.Use a lifecycle policy.
C.Set a retention policy.
D.Enable object versioning.
AnswerA

Preserves noncurrent versions for recovery.

Why this answer

Object versioning in Cloud Storage preserves every version of an object, including overwrites and deletions. When versioning is enabled, a delete operation creates a delete marker instead of permanently removing the object, allowing easy recovery. This directly protects against accidental deletion by retaining all previous object versions.

Exam trap

Google Cloud often tests the distinction between versioning (which allows recovery from accidental deletion) and retention policies (which prevent deletion but do not provide recovery after the fact), leading candidates to confuse compliance protection with accidental deletion protection.

How to eliminate wrong answers

Option B is wrong because lifecycle policies automate transitions or deletions based on age or conditions, but they do not prevent accidental deletion; they can actually cause deletion if misconfigured. Option C is wrong because retention policies (e.g., Bucket Lock) prevent object modification or deletion for a fixed period, but they are designed for compliance and data retention, not for recovering from accidental deletion after the fact. Option D is a duplicate of the correct answer and is not a separate option; the question lists two identical 'Enable object versioning' entries, but only one is correct.

85
MCQeasy

A company runs a global e-commerce site on GKE. They want to ensure disaster recovery with multi-region deployment. What is the best practice for configuring GKE clusters?

A.Deploy separate regional clusters in two or more regions.
B.Use a single zonal cluster with node auto-repair.
C.Deploy a single cluster with multi-master setup.
D.Use a single regional cluster with multiple zones.
AnswerA

Multi-region clusters provide geographic redundancy.

Why this answer

For disaster recovery with a multi-region deployment, the best practice is to deploy separate regional clusters in two or more regions. This ensures that if an entire region fails, traffic can be redirected to the other region's cluster, providing true geographic redundancy. A single cluster, whether zonal or regional, cannot survive a regional outage because it is bound to a single control plane location.

Exam trap

Google Cloud often tests the misconception that a regional cluster with multiple zones is sufficient for disaster recovery, but the trap here is that a regional cluster is still confined to a single region and cannot survive a full regional outage.

How to eliminate wrong answers

Option B is wrong because a single zonal cluster with node auto-repair only protects against node-level failures within that single zone, not against a full zone or regional outage, and thus does not meet multi-region disaster recovery requirements. Option C is wrong because GKE does not support a multi-master setup; each cluster has a single control plane, and multi-master is not a valid configuration for GKE. Option D is wrong because a single regional cluster with multiple zones provides high availability within a single region but cannot survive a regional failure, as the control plane is still regional and would be unavailable if the entire region goes down.

86
MCQhard

An organization has set the IAM policy constraint 'constraints/iam.allowedPolicyMemberDomains' with the values shown. Which of the following users can be granted an IAM role on a project in this organization?

A.service-account@project-id.iam.gserviceaccount.com
B.external@otherdomain.com
C.admin@another-customer-domain.com
D.user@example.com
AnswerA, D

Service accounts within the organization are allowed.

Why this answer

The constraint 'constraints/iam.allowedPolicyMemberDomains' restricts IAM role grants to members from specified domains. The value 'gserviceaccount.com' is implicitly allowed for service accounts because they are managed by Google and are not subject to domain restrictions. Therefore, service-account@project-id.iam.gserviceaccount.com can be granted an IAM role on a project in this organization.

Exam trap

Google Cloud often tests the misconception that all service accounts are exempt from domain restrictions, but only Google-managed service accounts (those ending in 'gserviceaccount.com') are exempt; customer-managed service accounts from other domains are still subject to the constraint.

How to eliminate wrong answers

Option B is wrong because 'external@otherdomain.com' is from a domain not listed in the constraint, and the constraint explicitly denies granting roles to users from unlisted domains. Option C is wrong because 'admin@another-customer-domain.com' is from a domain that is not allowed by the constraint, and the constraint applies to all IAM members except Google-managed service accounts.

87
Multi-Selecteasy

A company is designing a data pipeline to ingest streaming data from IoT devices and store it in BigQuery for analysis. They need to minimize latency and operational overhead. Which two Google Cloud services should they use? (Choose two.)

Select 2 answers
A.Cloud Dataflow
B.Cloud Pub/Sub
C.Cloud Dataproc
D.Cloud Storage
E.Cloud Functions
AnswersA, B

Cloud Dataflow can process streaming data from Pub/Sub and write to BigQuery in real time.

Why this answer

Cloud Pub/Sub is the recommended service for ingesting streaming data, and Cloud Dataflow can process the data and write it directly to BigQuery with low latency. Cloud Storage is for batch uploads, Cloud Functions is event-driven but not ideal for high-throughput streaming, and Cloud Dataproc is for batch processing.

88
MCQeasy

Your company runs a stateless web application on Compute Engine. You want to ensure that if a zone fails, the application continues to serve traffic with minimal manual intervention. What should you do?

A.Schedule regular snapshots of each instance's persistent disk to a regional bucket.
B.Create a regional managed instance group with an autoscaling policy and use a global Cloud Load Balancer.
C.Use a global Cloud Load Balancer and enable Cloud CDN.
D.Create an instance template and manually deploy instances in another zone.
AnswerB

A regional MIG with autoscaling across zones and a global load balancer ensures traffic is rerouted away from failed zones and instances are automatically replaced.

Why this answer

A regional managed instance group (MIG) distributes instances across multiple zones within a region, ensuring that if one zone fails, the remaining zones continue serving traffic. Combined with a global Cloud Load Balancer, traffic is automatically routed to healthy instances in any zone, providing high availability with minimal manual intervention. Autoscaling further ensures that new instances are created to handle load, even if a zone becomes unavailable.

Exam trap

Google Cloud often tests the distinction between data backup (snapshots) and compute redundancy (MIGs), leading candidates to choose backup solutions when the question asks for continuous traffic serving during a zone failure.

How to eliminate wrong answers

Option A is wrong because scheduling snapshots to a regional bucket provides data backup and disaster recovery for persistent disks, but does not automatically redirect traffic or maintain application availability during a zone failure; it requires manual restoration and reconfiguration. Option C is wrong because enabling Cloud CDN caches static content at edge locations, which improves performance and reduces load on origin servers, but does not provide zone-level redundancy or automatic failover for the compute instances themselves. Option D is wrong because manually deploying instances in another zone is a manual, slow process that does not provide automated failover or load balancing; it also lacks autoscaling and health checking, leading to potential downtime and increased operational overhead.

89
Multi-Selecteasy

A company uses Cloud Storage to store user-uploaded content. They want to ensure that the data is highly durable and protected against accidental deletion. Which two features should they enable? (Choose two.)

Select 2 answers
A.Requester pays.
B.Lifecycle management.
C.Object versioning.
D.Bucket retention policy.
E.Uniform bucket-level access.
AnswersC, D

Versioning protects against accidental deletion or overwrite.

Why this answer

Options A and B are correct: Object versioning preserves previous versions, and retention policy prevents deletion until the retention period ends. Option C lifecycle management is for automated deletion. Option D requester pays is for billing.

Option E uniform bucket-level access is for access control.

90
MCQhard

An organization policy at the organization level restricts project creation to only Project Creator role holders. The exhibit shows the IAM policy for the organization. A member of the group pm-team@example.com attempts to create a project but receives a permission denied error. What is the most likely cause?

A.The user's email domain is not allowed by the organization policy.
B.An organization policy with a constraint to block project creation for non-allowlisted users is enforced.
C.The group pm-team@example.com does not exist.
D.The IAM policy is missing the resourcemanager.projectCreator role.
AnswerB

Organization policy can deny project creation even if IAM allows it.

Why this answer

Option B is correct because the organization policy explicitly restricts project creation to only users who hold the Project Creator role. The user is a member of pm-team@example.com but does not have the Project Creator role, so the policy denies the request. This is a common IAM constraint at the organization level that overrides any lower-level permissions.

Exam trap

Google Cloud often tests the distinction between IAM roles and organization policies, where candidates mistakenly think that having a role at any level is sufficient, ignoring that organization-level constraints can block actions even with the correct role at a lower level.

How to eliminate wrong answers

Option A is wrong because the organization policy does not mention any email domain restriction; the error is due to role absence, not domain. Option C is wrong because if the group did not exist, the user would not be a member and the error would be different (e.g., 'group not found'), not a permission denied on project creation. Option D is wrong because the IAM policy shown includes the resourcemanager.projectCreator role for the group, but the organization policy overrides it by restricting creation to only Project Creator role holders, meaning the user lacks the specific role binding required by the policy.

91
MCQmedium

A team deployed a new version of a service on Cloud Run. After deployment, users report 502 errors. The logs show "Error: Server Error" with no stack trace. What is the first step the team should take to diagnose the issue?

A.Enable Cloud Debugger to inspect the running instance.
B.Check the container image for missing dependencies or misconfiguration.
C.Increase Cloud Run max instances limit.
D.Rollback to the previous version immediately.
AnswerB

Logs indicate the container may be failing to start, so checking dependencies is the first diagnostic step.

Why this answer

The 502 error with 'Error: Server Error' and no stack trace typically indicates that the container failed to start or crashed immediately after startup, often due to missing dependencies or misconfiguration in the container image. Cloud Run requires the container to listen on the port specified by the PORT environment variable (default 8080) and respond to health checks; if the container exits or fails to bind, Cloud Run returns a 502. Checking the container image is the first diagnostic step because it addresses the most common root cause before investigating runtime or scaling issues.

Exam trap

Google Cloud often tests the distinction between startup failures (502) and runtime errors (500), leading candidates to mistakenly choose Cloud Debugger or scaling fixes instead of verifying the container image first.

How to eliminate wrong answers

Option A is wrong because Cloud Debugger is designed for inspecting live application state (e.g., variables, stack traces) in a running instance, but here the container is likely failing to start or crashing immediately, so there is no running instance to attach to. Option C is wrong because increasing the max instances limit addresses scaling or concurrency issues (e.g., 429 or 503 errors), not a 502 error caused by a container startup failure. Option D is wrong because rolling back immediately is a reactive recovery action, not a diagnostic step; the team should first understand the root cause to prevent recurrence, and the question explicitly asks for the first step to diagnose the issue.

92
MCQhard

A developer is deploying a containerized application to Cloud Run. The deployment fails with the error above. What is the most likely cause?

A.The container is listening on port 3000 instead of 8080.
B.The container health check is misconfigured.
C.The container startup script fails.
D.The container does not have a web server.
AnswerA

Cloud Run requires the container to listen on the port defined by the PORT environment variable, which defaults to 8080.

Why this answer

Cloud Run requires containers to listen on the port defined by the `PORT` environment variable, which defaults to 8080. If the container is hardcoded to listen on port 3000, Cloud Run's health checks and routing will fail because the runtime cannot reach the application on the expected port, causing the deployment to fail.

Exam trap

Google Cloud often tests the misconception that any port mismatch will cause a health check failure, but the actual trap is that Cloud Run's deployment validation checks port binding before the container is considered healthy, so a wrong port causes an immediate deployment failure, not a post-deployment health check issue.

How to eliminate wrong answers

Option B is wrong because a misconfigured health check would cause the container to be marked unhealthy after startup, but the deployment itself would still succeed initially; the error in the question indicates a deployment failure, not a post-deployment health check failure. Option C is wrong because a startup script failure would typically result in a different error (e.g., container crash loop or exit code), not a port mismatch error. Option D is wrong because the container does have a web server (it listens on port 3000), but it is listening on the wrong port; Cloud Run does not require a specific web server, only that the container listens on the correct port.

93
MCQmedium

A financial services company runs a mission-critical database on Compute Engine with local SSDs. They need to ensure data durability in case of an instance failure while maintaining low latency. What should they do?

A.Configure a regional persistent disk with synchronous replication and attach it to the instance
B.Use a managed instance group with autohealing and store data on a persistent disk
C.Set up a read replica in another zone using database-native replication
D.Take regular snapshots of the local SSDs to Cloud Storage
AnswerA

Regional persistent disks replicate data synchronously across zones, providing durability and low latency.

Why this answer

Regional persistent disks (PD) provide synchronous replication of data between two zones in the same region, ensuring data durability even if the entire zone fails. By attaching a regional PD to a Compute Engine instance, you maintain low latency (since the disk is network-attached but still within the same region) while achieving the required durability. Local SSDs, while offering very low latency, are ephemeral and lose data on instance failure, so they are not suitable for mission-critical durability requirements.

Exam trap

Google Cloud often tests the misconception that local SSDs are durable because they are fast, but the trap here is that local SSDs are ephemeral and data is lost on instance failure, so candidates may incorrectly choose snapshotting or database replication instead of the correct regional persistent disk solution.

How to eliminate wrong answers

Option B is wrong because a managed instance group with autohealing only recreates instances but does not preserve data on local SSDs, which are ephemeral; persistent disks would be needed for durability, but the option does not specify regional replication. Option C is wrong because setting up a read replica in another zone using database-native replication addresses read availability and disaster recovery, but it does not protect against the primary instance failure that loses local SSD data; it also adds latency for writes and does not provide synchronous durability for the primary database. Option D is wrong because regular snapshots of local SSDs to Cloud Storage provide point-in-time recovery but introduce significant latency for snapshot creation and do not guarantee zero data loss on instance failure; snapshots are asynchronous and not suitable for mission-critical, low-latency durability requirements.

94
MCQmedium

A developer is using Cloud Build to automate deployments. The build fails with an error: 'Permission 'iam.serviceAccounts.actAs' denied.' What is the most likely cause?

A.The developer does not have iam.serviceAccounts.actAs permission on the project
B.The build configuration is missing a required step
C.The Cloud Build service account is not enabled
D.The Cloud Build service account does not have the Service Account User role on the service account used in the build steps
AnswerD

actAs permission is required for impersonation.

Why this answer

The error 'Permission iam.serviceAccounts.actAs denied' occurs when a Cloud Build build step tries to impersonate a service account (e.g., to deploy resources) but the Cloud Build service account lacks the Service Account User role on that target service account. Option D correctly identifies that the Cloud Build service account does not have the `roles/iam.serviceAccountUser` role on the service account used in the build steps, which is required to delegate access.

Exam trap

Google Cloud often tests the distinction between granting permissions to a user versus granting roles to a service account, and the trap here is that candidates mistakenly think the developer needs the `actAs` permission directly (Option A), when in fact it is the Cloud Build service account that requires the Service Account User role on the target service account.

How to eliminate wrong answers

Option A is wrong because the `iam.serviceAccounts.actAs` permission is not granted directly to the developer; it is granted to a service account (the Cloud Build service account) on another service account. The error is about the Cloud Build service account lacking this permission, not the developer. Option B is wrong because a missing build step would typically cause a syntax or execution error, not a specific IAM permission denial.

Option C is wrong because the Cloud Build service account is enabled by default when Cloud Build is used; the error is about missing IAM roles on that service account, not its existence.

95
Drag & Dropmedium

Drag and drop the steps to set up a VPC network peering between two projects in Google Cloud into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPC peering requires bidirectional connections; both sides must initiate peering. IP ranges must not overlap.

96
Multi-Selecthard

An organization is implementing a data loss prevention (DLP) strategy for sensitive data stored in Cloud Storage. They want to automatically detect and redact credit card numbers in CSV files uploaded to a specific bucket. Which TWO Google Cloud services should they combine to achieve this?

Select 2 answers
A.Cloud Dataflow
B.Cloud Run
C.Cloud DLP
D.Cloud Functions
E.BigQuery
AnswersC, D

Cloud DLP provides inspection and redaction of sensitive data types like credit card numbers.

Why this answer

Cloud DLP (option C) is correct because it provides native content inspection and de-identification (redaction) of sensitive data like credit card numbers using built-in infoType detectors. Cloud Functions (option D) is correct because it can be triggered by Cloud Storage events (e.g., finalize/create) to invoke the DLP API on newly uploaded CSV files, enabling serverless, event-driven processing without managing infrastructure.

Exam trap

The trap here is that candidates may choose Cloud Dataflow (option A) thinking it is required for large-scale DLP processing, but the question specifies 'uploaded to a specific bucket' which implies per-file, event-driven processing where Cloud Functions is the simpler and correct serverless choice.

97
MCQeasy

A startup is building a web application that experiences unpredictable traffic spikes. They want a scalable solution that minimizes costs. Which Google Cloud service should they use to run their containerized application?

A.App Engine Standard Environment
B.Cloud Run for Anthos
C.Compute Engine with managed instance groups
D.Google Kubernetes Engine (GKE) with autoscaling
AnswerD

GKE provides automatic scaling of nodes and pods, ideal for containerized apps with spikes.

Why this answer

Google Kubernetes Engine (GKE) with autoscaling is the correct choice because it combines cluster autoscaling (which adjusts the number of nodes based on pod resource requests) with Horizontal Pod Autoscaling (which scales the number of pod replicas based on CPU/memory utilization or custom metrics). This dual-layer scaling handles unpredictable traffic spikes efficiently while minimizing costs by only provisioning resources when needed, and it is purpose-built for containerized applications.

Exam trap

The trap here is that candidates often choose Compute Engine with managed instance groups (Option C) because they think it is the most cost-effective, but they overlook that GKE's autoscaling is more granular (pod-level vs. VM-level) and reduces operational overhead for containerized workloads, making it the better choice for minimizing costs and handling unpredictable spikes.

How to eliminate wrong answers

Option A is wrong because App Engine Standard Environment runs applications in a sandboxed runtime (e.g., Java 8, Python 2.7) and does not support arbitrary containerized workloads; it requires code to conform to specific runtime constraints and does not allow custom Docker images. Option B is wrong because Cloud Run for Anthos is designed for running stateless containers on GKE clusters, but it adds unnecessary complexity and cost (Anthos licensing) for a simple web app that does not require hybrid/multi-cloud capabilities; GKE alone with autoscaling is more cost-effective. Option C is wrong because Compute Engine with managed instance groups can autoscale VMs, but it requires manual management of container orchestration (e.g., installing Docker, configuring load balancers) and lacks the native pod-level scaling and self-healing capabilities that GKE provides for containerized applications, leading to higher operational overhead and potential cost inefficiency.

98
MCQmedium

Refer to the exhibit. A developer wants to SSH into instance-1 from their local machine. Which command should they use?

A.gcloud compute ssh instance-2
B.gcloud compute ssh instance-1 --project default
C.gcloud compute ssh instance-1 --internal-ip
D.gcloud compute ssh instance-1 --zone us-central1-a
AnswerD

This command uses the external IP via SSH keys managed by gcloud.

Why this answer

Option D is correct because the `gcloud compute ssh` command requires the `--zone` flag when the zone is not set in the gcloud configuration or when the instance is in a different zone than the default. In this scenario, instance-1 is in zone us-central1-a, so specifying `--zone us-central1-a` ensures the SSH connection targets the correct instance. Without this flag, the command may fail or connect to the wrong instance if the default zone is different.

Exam trap

The trap here is that candidates often overlook the zone requirement and assume the `--project` flag or omitting the zone will work, but the PCA exam tests the precise need for zone specification when the default zone is not set or differs from the instance's zone.

How to eliminate wrong answers

Option A is wrong because it specifies instance-2 instead of instance-1, which is the target instance the developer wants to SSH into. Option B is wrong because the `--project default` flag sets the project ID, but the issue here is the zone, not the project; the command would still fail if the zone is not correctly specified or defaults to a different zone. Option C is wrong because `--internal-ip` forces the SSH connection to use the internal IP address, which is not reachable from a local machine outside the VPC network; this flag is only useful when connecting from within the same network.

99
Multi-Selecthard

A company is using Cloud Bigtable for time-series data from IoT devices. They are experiencing high latency for queries that scan a large range of rows. Which THREE actions can improve query performance? (Choose three.)

Select 3 answers
A.Reduce the size of row keys.
B.Increase the number of nodes in the Bigtable cluster.
C.Use Key Visualizer to analyze access patterns.
D.Switch from SSD storage to HDD storage.
E.Use application profiles to route to a single cluster if using replication.
AnswersA, B, E

Smaller row keys reduce I/O and improve scan performance.

Why this answer

Reducing the size of row keys (A) improves query performance because Bigtable stores rows sorted by key, and smaller keys reduce the amount of data that must be scanned and transferred during range scans. This directly lowers I/O and network overhead, which is critical for time-series data where row keys often include timestamps and device IDs.

Exam trap

Google Cloud often tests the misconception that Key Visualizer is a performance-tuning action rather than an analysis tool, and that HDD storage could improve latency for large scans, when in fact it degrades performance.

100
Multi-Selecteasy

Which TWO actions can reduce costs for a Cloud SQL for MySQL instance? (Choose two.)

Select 2 answers
A.Use database flags to limit connections.
B.Use committed use discounts.
C.Use preemptible instances.
D.Use a smaller machine type during off-peak hours.
E.Use high availability configuration.
AnswersB, D

Committed use discounts provide up to 57% discount for 1-year or 3-year commitment.

Why this answer

Committed use discounts (CUDs) provide significant cost savings (up to 57%) for Cloud SQL instances when you commit to a 1- or 3-year term. Resizing to a smaller machine type during off-peak hours directly reduces compute costs by lowering the vCPU and memory allocation when demand is low, and Cloud SQL supports live instance resizing with minimal downtime.

Exam trap

Google Cloud often tests the misconception that preemptible instances are available for managed services like Cloud SQL, when in fact they are exclusive to Compute Engine and GKE, and candidates may also confuse connection limits with cost reduction, thinking that limiting resources directly lowers the bill.

101
MCQhard

A company is designing a disaster recovery plan for a Cloud SQL for PostgreSQL instance. They want to failover to a different region with minimal data loss and recovery time under 10 minutes. The database is 500 GB and experiences 2,000 write transactions per second. Which solution should they use?

A.Export the database daily using gsutil and import in the other region using pg_restore.
B.Create a cross-region read replica and promote it to primary during failover.
C.Configure a cross-region replica instance using Cloud SQL's cross-region replication feature.
D.Automated backups with point-in-time recovery to a new instance in the other region.
AnswerC

Cross-region replication provides a standby instance with synchronous replication, minimal data loss, and failover in minutes.

Why this answer

Cloud SQL for PostgreSQL offers a managed cross-region replication feature that creates a replica instance in a different region, using synchronous or asynchronous replication to keep data nearly in sync. This solution meets the RPO (minimal data loss) and RTO (under 10 minutes) requirements because the replica is continuously updated and can be promoted to primary in minutes, without needing to restore from a backup or export.

Exam trap

Google Cloud often tests the distinction between read replicas (which are intra-region only for Cloud SQL PostgreSQL) and cross-region replica instances (which are a separate managed feature), leading candidates to incorrectly choose option B because they assume read replicas can be cross-region.

How to eliminate wrong answers

Option A is wrong because daily exports using gsutil and pg_restore would result in up to 24 hours of data loss (poor RPO) and the recovery time would exceed 10 minutes due to the time needed to transfer and restore a 500 GB database. Option B is wrong because Cloud SQL for PostgreSQL does not support cross-region read replicas; read replicas are only available within the same region, so this option is not technically feasible. Option D is wrong because automated backups with point-in-time recovery require restoring from a backup stored in the same region or a different region, but the restore process can take significantly longer than 10 minutes for a 500 GB database, and the recovery point would be at best the last backup, not near-real-time.

102
Multi-Selectmedium

Which TWO controls should a financial services company implement to comply with PCI DSS requirement related to protecting cardholder data stored in Cloud SQL? (Choose two.)

Select 2 answers
A.Use Cloud DLP to redact cardholder data in logs.
B.Enable Cloud Audit Logs to monitor access to the database.
C.Enable Cloud SQL encryption with Customer-Managed Encryption Keys (CMEK).
D.Configure VPC Service Controls to restrict egress from the Cloud SQL instance.
E.Implement column-level encryption for PAN fields before inserting into the database.
AnswersC, E

CMEK ensures data is encrypted at rest with a key managed by the organization.

Why this answer

Options A and C are correct. PCI DSS Requirement 3.4 requires rendering cardholder data unreadable via encryption. Cloud SQL supports CMEK for encryption at rest, and Column-level encryption ensures only encrypted data is stored.

Option B is wrong because VPC Service Controls prevent exfiltration but do not encrypt data. Option D is wrong because DLP can redact data but does not replace encryption for stored data. Option E is wrong because Cloud Audit Logs are for monitoring, not protection.

103
MCQmedium

An organization has multiple Google Cloud projects that need to access a shared Cloud SQL database. The database should only be accessible from authorized projects. What is the most secure way to grant access?

A.Use Cloud SQL Proxy on each project's Compute Engine instances.
B.Configure the Cloud SQL instance with a private IP in a shared VPC and grant IAM roles to the authorized projects.
C.Expose the Cloud SQL instance on a public IP and authorize the IP ranges of the projects.
D.Set up a Cloud VPN between each project's VPC and the VPC hosting Cloud SQL.
AnswerB

Private IP and shared VPC provide a secure, internal network path with IAM controls.

Why this answer

Option B is correct because using a private IP in a shared VPC ensures that Cloud SQL is not exposed to the public internet, and IAM roles (e.g., roles/cloudsql.client) allow fine-grained access control at the project level. This approach leverages VPC peering or shared VPC to restrict network access exclusively to authorized projects, eliminating the need for public IPs or complex VPN configurations while maintaining high security.

Exam trap

The trap here is that candidates often confuse Cloud SQL Proxy (a secure tunnel tool) with a method for project-level authorization, when in fact it only provides encryption and IAM-based user authentication, not network-level restriction to specific projects.

How to eliminate wrong answers

Option A is wrong because Cloud SQL Proxy is a client-side tool that provides encrypted connections and IAM-based authentication, but it does not by itself restrict access to authorized projects; it still requires the Cloud SQL instance to have a public IP or be accessible via private networking, and it does not enforce project-level authorization. Option C is wrong because exposing Cloud SQL on a public IP and authorizing IP ranges is less secure; IP addresses can be spoofed or changed, and this approach relies on network-level controls rather than IAM-based project authorization, increasing the attack surface. Option D is wrong because setting up a Cloud VPN between each project's VPC and the VPC hosting Cloud SQL adds unnecessary complexity and cost; a shared VPC or VPC peering is more straightforward and provides the same private connectivity without the overhead of VPN tunnels.

104
Drag & Dropmedium

Drag and drop the steps to set up a Cloud VPN tunnel between Google Cloud and an on-premises network into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud Router is used for dynamic routing. The tunnel requires the on-premises public IP and pre-shared key.

105
MCQeasy

A company is running a web application on Compute Engine instances that average 20% CPU utilization. They want to reduce costs without impacting performance. What is the most effective action?

A.Rightsize instances to a smaller machine type based on usage metrics.
B.Change instance type to e2-standard-4.
C.Purchase 3-year committed use discounts.
D.Use preemptible instances for all traffic.
AnswerA

Rightsizing matches capacity to demand, reducing cost without performance impact.

Why this answer

The instances are averaging only 20% CPU utilization, indicating they are over-provisioned. Rightsizing to a smaller machine type directly reduces the compute cost per instance while maintaining adequate performance for the current workload, as the smaller instance can handle the existing load without degradation.

Exam trap

The trap here is that candidates often choose committed use discounts (Option C) as a quick cost-saving measure, failing to realize that rightsizing first yields greater savings without long-term commitment, and that preemptible instances (Option D) are not viable for production traffic due to their ephemeral nature.

How to eliminate wrong answers

Option B is wrong because it specifies a particular machine type (e2-standard-4) without considering the current usage metrics; this is a generic recommendation that may not be the optimal size and could still be over-provisioned or under-provisioned. Option C is wrong because purchasing 3-year committed use discounts locks in a long-term commitment for the current instance types, which may still be over-provisioned; rightsizing first then applying commitments is more cost-effective. Option D is wrong because preemptible instances can be terminated at any time by Google Cloud, making them unsuitable for handling all traffic in a production web application that requires reliability and availability.

106
MCQmedium

A company hosts a web application on Compute Engine behind a global HTTP(S) load balancer. They notice that some users experience high latency from certain regions. They want to improve performance without adding complexity. What should they do?

A.Add more instances in the same region
B.Use Premium Tier networking
C.Enable Cloud Armor
D.Enable Cloud CDN
AnswerD

Cloud CDN caches content at edge locations, reducing latency.

Why this answer

Option D is correct because enabling Cloud CDN caches content at Google's globally distributed edge caches, reducing latency for users in regions far from the origin Compute Engine instances. This directly addresses the high-latency issue without adding complexity, as it requires no changes to the application architecture and is a simple configuration toggle on the load balancer backend bucket or backend service.

Exam trap

The trap here is that candidates may confuse network optimization (Premium Tier) with content caching (CDN), assuming that faster routing alone solves geographic latency, but only caching eliminates the need for long-distance round trips.

How to eliminate wrong answers

Option A is wrong because adding more instances in the same region does not reduce latency for users in distant regions; it only increases capacity within that region, leaving cross-continental network hops unchanged. Option B is wrong because Premium Tier networking improves routing performance by using Google's global fiber network, but it does not cache content; it still requires a full round trip to the origin for every request, so it does not eliminate latency from geographic distance. Option C is wrong because Cloud Armor provides security protections like DDoS mitigation and WAF rules; it does not cache or accelerate content delivery, so it has no effect on latency for static or cacheable responses.

107
MCQhard

A company is migrating a large on-premises SQL Server database to Cloud SQL for SQL Server. The database is 2 TB in size and must have minimal downtime. Which approach should they use?

A.Set up a Cloud SQL HA instance and replicate on-premises using Always On availability groups
B.Export the database to CSV files, then import using Cloud SQL import
C.Use Database Migration Service (DMS) for continuous one-way replication
D.Perform a full backup to Cloud Storage, then restore into Cloud SQL
AnswerC

DMS provides near-zero downtime migration for SQL Server.

Why this answer

Database Migration Service (DMS) supports continuous one-way replication from on-premises SQL Server to Cloud SQL for SQL Server using native SQL Server transaction log shipping or Always On availability group replication. This minimizes downtime by keeping the target synchronized during the migration cutover, which is critical for a 2 TB database where a full backup/restore would cause extended downtime.

Exam trap

The trap here is that candidates often assume a full backup/restore (Option D) is the simplest and fastest method, but for large databases with minimal downtime requirements, continuous replication via DMS is the only viable option, and Cloud SQL HA (Option A) is a high-availability feature for within Cloud SQL, not for hybrid replication from on-premises.

How to eliminate wrong answers

Option A is wrong because setting up a Cloud SQL HA instance with Always On availability groups for replication from on-premises is not a supported configuration; Cloud SQL for SQL Server does not support Always On availability groups as a replication target from external sources. Option B is wrong because exporting a 2 TB database to CSV files is impractical for minimal downtime due to the time required for export, transfer, and import, and it does not provide continuous replication to avoid downtime. Option D is wrong because performing a full backup to Cloud Storage and restoring into Cloud SQL requires taking the on-premises database offline for the duration of the backup and restore, which does not meet the minimal downtime requirement.

108
MCQhard

A company is migrating a monolithic application to Google Cloud. The application consists of a stateful service that writes to local disk and a stateless web server. They want to minimize changes to the code. Which architecture should they use?

A.Run the entire application on Cloud Run and use Cloud Filestore for shared state
B.Use App Engine Flexible Environment for the web server and Cloud SQL for state
C.Refactor the application into microservices and deploy on GKE with StatefulSets
D.Lift and shift to Compute Engine instances with persistent disks for stateful service
AnswerD

Minimal code changes, uses persistent disks for state.

Why this answer

Option D is correct because it represents a lift-and-shift migration that minimizes code changes by running the monolithic application on Compute Engine instances. The stateful service can use persistent disks for local disk writes, while the stateless web server runs on the same or separate instances, preserving the existing architecture without refactoring.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing cloud-native options (like Cloud Run or GKE) that require code changes, ignoring the explicit requirement to minimize changes and the suitability of a simple lift-and-shift with persistent disks.

How to eliminate wrong answers

Option A is wrong because Cloud Run is stateless and does not support local disk writes; Cloud Filestore is a network file system that would require code changes to replace local disk I/O. Option B is wrong because App Engine Flexible Environment does not support local disk writes for stateful services, and migrating to Cloud SQL would require significant code changes to replace local disk-based state. Option C is wrong because refactoring into microservices and using GKE with StatefulSets contradicts the requirement to minimize code changes, as it requires substantial application restructuring.

109
MCQmedium

A developer runs the command above. The instance is created successfully, but cannot be reached via HTTP from the internet. What is the most likely cause?

A.There is no firewall rule allowing ingress traffic on ports 80 and 443.
B.The machine type n1-standard-2 is not suitable for HTTP.
C.The image family debian-10 does not support HTTP.
D.The boot disk type pd-standard is too slow.
AnswerA

Tags alone don't open ports; firewall rules needed.

Why this answer

The most likely cause is that there is no firewall rule allowing ingress traffic on ports 80 and 443. By default, Google Cloud Platform (GCP) firewall rules block all incoming traffic from the internet. Even though the instance is created successfully, HTTP/HTTPS traffic cannot reach it unless a firewall rule explicitly permits ingress on TCP ports 80 and 443, typically via a target tag like 'http-server' or 'https-server'.

Exam trap

Google Cloud often tests the misconception that creating a VM with a public IP automatically makes it reachable from the internet, when in reality GCP's default firewall rules block all ingress traffic until explicitly opened.

How to eliminate wrong answers

Option B is wrong because the machine type n1-standard-2 is a general-purpose machine that fully supports HTTP traffic; machine type does not affect protocol support. Option C is wrong because the image family debian-10 is a standard Linux distribution that supports HTTP out of the box; the OS image does not determine network reachability. Option D is wrong because the boot disk type pd-standard (standard persistent disk) provides sufficient I/O for basic HTTP serving; disk speed does not prevent the instance from being reached via HTTP from the internet.

110
MCQmedium

A team is using Cloud Functions and wants to ensure retries on failure. What is the best practice?

A.Increase function timeout.
B.Use background functions with Pub/Sub.
C.Configure maximum retries and set dead-letter topic.
D.Use synchronous invocation.
AnswerC

Automatic retries with dead-letter for investigation.

Why this answer

Option C is correct because Cloud Functions (2nd gen) and Cloud Run allow configuring maximum retry attempts and a dead-letter topic to handle messages that repeatedly fail processing. This ensures that transient failures are retried automatically, while persistent failures are captured in a dead-letter queue for later analysis, preventing message loss and enabling reliable event-driven processing.

Exam trap

Google Cloud often tests the misconception that simply using a background function or increasing timeout is sufficient for reliability, when in fact explicit retry configuration and dead-letter handling are required for robust error recovery.

How to eliminate wrong answers

Option A is wrong because increasing function timeout does not cause retries; it only extends the maximum execution duration, and if the function fails after the timeout, no retry is triggered unless explicitly configured. Option B is wrong because background functions with Pub/Sub are a type of function, not a retry mechanism; while Pub/Sub can be used with retry policies, the statement itself does not address configuring retries or dead-letter topics. Option D is wrong because synchronous invocation (e.g., via HTTP triggers) does not inherently provide retry logic; the caller must implement retries, and Cloud Functions does not automatically retry synchronous invocations on failure.

111
Drag & Dropmedium

Drag and drop the steps to deploy a containerized application to Google Kubernetes Engine (GKE) using a Deployment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The image must be in a registry before the Deployment can reference it. The Service provides external access.

112
MCQeasy

A company wants to monitor their Cloud Run services for errors and latency. Which Google Cloud product should they use?

A.Cloud Trace
B.Cloud Monitoring
C.Cloud Logging
D.Error Reporting
AnswerB

Provides metrics, dashboards, and alerts.

Why this answer

Cloud Monitoring (formerly Stackdriver Monitoring) provides comprehensive observability for Cloud Run services, including built-in dashboards for request latency, error rates, and resource utilization. It collects metrics like request count, request latencies, and container instance counts, and allows you to set alerting policies based on these metrics. While Cloud Trace can help with latency analysis and Cloud Logging captures logs, Cloud Monitoring is the primary product for monitoring both errors and latency in a unified view.

Exam trap

The trap here is that candidates often confuse Cloud Trace (for latency) or Error Reporting (for errors) as standalone solutions, but the question asks for a single product that monitors both errors and latency, which is Cloud Monitoring's role as the central metrics and alerting platform.

How to eliminate wrong answers

Option A is wrong because Cloud Trace is a distributed tracing tool focused on analyzing latency across service requests, but it does not provide a unified dashboard for error rates or resource metrics for Cloud Run. Option C is wrong because Cloud Logging is for storing, searching, and analyzing log data, not for monitoring metrics like latency percentiles or error counts in real-time dashboards. Option D is wrong because Error Reporting aggregates and analyzes application errors from logs, but it does not monitor latency or provide a holistic view of service health.

113
Multi-Selecthard

Your service has a 99.99% uptime SLO (monthly error budget ~ 4 minutes). Which TWO monitoring practices best support this SLO? (Choose 2)

Select 2 answers
A.Monitor CPU utilization and alert when average exceeds 80%.
B.Use a combination of availability (e.g., HTTP 200 rate) and latency (e.g., p99) as SLIs.
C.Use only synthetic monitoring from multiple locations.
D.Alert on every 5xx error immediately.
E.Track error budget consumption and alert when burn rate exceeds a threshold.
AnswersB, E

Good SLIs reflect user experience; availability and latency are common SLIs.

Why this answer

Options B and D are correct. A good SLI combines availability and latency into a single measure; the error budget approach is the standard way to manage SLOs. Option A is wrong: CPU alone is not a user-facing SLI.

Option C is wrong: Alerting on every 5xx error can lead to alert fatigue; better to alert based on error budget burn rate. Option E is wrong: Synthetic monitoring is useful but not alone sufficient; a combination of real and synthetic is recommended.

114
MCQeasy

A company wants to ensure that only Compute Engine instances with a specific service account can access a Cloud Storage bucket. Which IAM condition should they use?

A.Condition: 'request.auth == "serviceAccount:sa@project.iam.gserviceaccount.com"'
B.Condition: 'origin.serviceAccount == "sa@project.iam.gserviceaccount.com"'
C.Condition: 'resource.serviceAccount == "sa@project.iam.gserviceaccount.com"'
D.Condition: 'iam.serviceAccount == "sa@project.iam.gserviceaccount.com"'
AnswerD

The condition 'iam.serviceAccount' matches the service account used by the caller.

Why this answer

Option D is correct because the `iam.serviceAccount` condition attribute in IAM conditions allows you to restrict access based on the service account identity of the caller. When a Compute Engine instance uses a service account, the condition `iam.serviceAccount == "sa@project.iam.gserviceaccount.com"` ensures that only requests authenticated with that specific service account are allowed to access the Cloud Storage bucket. This is the standard IAM condition attribute for matching the service account of the requesting principal.

Exam trap

The trap here is confusing the caller's service account (`iam.serviceAccount`) with the resource's service account (`resource.serviceAccount`), leading candidates to pick Option C, which would incorrectly check the service account attached to the Cloud Storage bucket (which does not exist) instead of the requesting instance's identity.

How to eliminate wrong answers

Option A is wrong because `request.auth` is not a valid IAM condition attribute; the correct attribute for checking the authenticated identity is `iam.serviceAccount` or `principal` attributes. Option B is wrong because `origin.serviceAccount` is not a recognized IAM condition attribute; `origin` attributes are used for VPC Network or Cloud Armor conditions, not for IAM policies. Option C is wrong because `resource.serviceAccount` refers to the service account associated with the resource (e.g., a Compute Engine instance's attached service account), not the caller's service account; this would incorrectly check the target resource's identity instead of the requester's identity.

115
MCQhard

A security engineer is configuring VPC Service Controls to protect a project containing BigQuery datasets with PII. They want to prevent data exfiltration while allowing authorized users to query the data from outside the perimeter. Which configuration meets these requirements?

A.Create a perimeter that includes the project, and set the 'allowed external access' flag to true.
B.Create a perimeter and enable the 'exfiltration exception' for BigQuery.
C.Create a perimeter that includes only Compute Engine instances, and use a separate perimeter for BigQuery.
D.Create a perimeter that includes the project, and use an access level from Access Context Manager to grant access to authorized users.
AnswerD

Access levels allow fine-grained access from outside the perimeter.

Why this answer

Option C is correct because Access Context Manager (ACM) can define access levels based on user identity or device status, and VPC Service Controls perimeters can be configured with access levels that allow access from outside the perimeter for authorized users. Option A is wrong because allowing all traffic from outside the perimeter defeats the purpose of the perimeter. Option B is wrong because there is no 'exfiltration exception' flag; you must use access levels.

Option D is wrong because perimeters can apply to projects with BigQuery datasets, not just compute.

116
Multi-Selecthard

Which THREE of the following are recommended practices when designing a highly available architecture on Google Cloud using multiple regions?

Select 3 answers
A.Deploy Compute Engine instances in a single regional managed instance group
B.Use a global external HTTP(S) load balancer with backend services in multiple regions
C.Use Cloud Spanner or cross-region replication for databases
D.Implement health checks and automated failover using Cloud DNS with weighted routing
E.Use a single Cloud VPN tunnel for connectivity between regions
AnswersB, C, D

Routes traffic to the nearest healthy backend, providing multi-region HA.

Why this answer

Option B is correct because a global external HTTP(S) load balancer uses Google's global anycast IP and routes traffic to the closest healthy backend in any region, enabling cross-region failover and low latency. It automatically handles failover between regions when health checks detect backend failures, making it a core component of multi-region high availability.

Exam trap

Google Cloud often tests the misconception that a single regional managed instance group or a single VPN tunnel is sufficient for multi-region high availability, but the exam expects you to recognize that redundancy across regions and elimination of single points of failure are mandatory.

117
MCQhard

A Cloud Spanner instance is experiencing high latency for point reads. The instance has 5 nodes and the read throughput is moderate. The table has a primary key with monotonically increasing values. What is the most likely cause and optimization?

A.Use interleaved tables to reduce the number of index lookups.
B.The instance is underprovisioned; add more nodes.
C.The primary key design causes hotspotting; use a hash prefix or add a leading random value.
D.The instance has too many nodes causing transaction conflicts; reduce nodes.
AnswerC

This distributes writes across splits.

Why this answer

The monotonically increasing primary key causes all writes to be directed to the last tablet (splitting point), creating a hotspot on one node. This hotspot leads to high latency for point reads because that node becomes a bottleneck. Adding a hash prefix or a leading random value distributes writes and reads evenly across all nodes, resolving the hotspotting issue.

Exam trap

Google Cloud often tests the misconception that adding more nodes solves all performance issues, but here the problem is a design flaw (hotspotting) that requires a key distribution strategy, not more capacity.

How to eliminate wrong answers

Option A is wrong because interleaved tables reduce join latency by colocating parent-child rows, but they do not address the root cause of hotspotting from a monotonically increasing primary key. Option B is wrong because the instance has moderate throughput and 5 nodes, so underprovisioning is not indicated; adding more nodes would not fix the hotspotting and could increase costs unnecessarily. Option D is wrong because having too many nodes does not cause transaction conflicts; Cloud Spanner uses a distributed transaction protocol (Paxos-based) that scales with nodes, and reducing nodes would not resolve the hotspotting issue.

118
MCQhard

Refer to the exhibit. A subnet was created with the `--enable-private-ip-google-access` flag. What does this flag enable for instances in this subnet?

A.Instances can use direct peering to connect to on-premises networks.
B.Instances automatically receive internal DNS names for Google services.
C.Instances can access Google APIs and services without requiring an external IP address.
D.Instances can route traffic to the internet through a Cloud NAT gateway.
AnswerC

This is the purpose of Private Google Access: it enables private IP VMs to reach Google services via the Google network.

Why this answer

The `--enable-private-ip-google-access` flag allows VM instances in a subnet to reach Google APIs and services (such as Cloud Storage, BigQuery, and Cloud Pub/Sub) using only their internal (private) IP addresses, without needing an external IP address. This works by routing traffic through Google's internal network to the Google Front End (GFE), bypassing the public internet.

Exam trap

Google Cloud often tests the distinction between private Google access (which only covers Google APIs and services) and Cloud NAT (which provides outbound internet access for private instances), leading candidates to confuse the two or assume private Google access enables general internet connectivity.

How to eliminate wrong answers

Option A is wrong because direct peering to on-premises networks is enabled by setting up a dedicated interconnect or partner interconnect, not by the `--enable-private-ip-google-access` flag. Option B is wrong because internal DNS names for Google services are automatically provided by the Cloud DNS service for resources within the VPC, not by this subnet-level flag. Option D is wrong because routing traffic to the internet through a Cloud NAT gateway is a separate configuration that requires a Cloud NAT resource and a router, and it is not enabled by this flag; the flag specifically enables access to Google APIs and services, not general internet access.

119
MCQmedium

A company uses the above IAM policy on a Cloud Storage bucket. They find that Bob can view objects in the bucket. Which statement explains this?

A.There is a higher-level policy that grants Bob viewer access.
B.The etag is mismatched causing policy override.
C.The bucket has uniform bucket-level access disabled.
D.Bob is a member of the group viewers@example.com.
E.The objectCreator role implicitly includes read access.
AnswerD

Group membership grants viewer access to Bob.

Why this answer

Option D is correct because the IAM policy shown includes a binding that grants the `roles/storage.objectViewer` role to the group `viewers@example.com`. If Bob is a member of that group, he inherits the permissions to view objects in the bucket. The policy explicitly lists this group as a principal, so Bob's ability to view objects is directly explained by his group membership.

Exam trap

Google Cloud often tests the distinction between IAM roles and ACLs, and the trap here is that candidates may overlook the group membership in the policy and instead incorrectly attribute Bob's access to a higher-level policy or a misunderstanding of role permissions.

How to eliminate wrong answers

Option A is wrong because the question asks which statement explains Bob's access given the provided IAM policy; a higher-level policy is not shown and would be an assumption, not a direct explanation from the given policy. Option B is wrong because the `etag` is used for optimistic concurrency control to prevent concurrent modification conflicts, not to cause policy overrides or grant access. Option C is wrong because uniform bucket-level access controls whether IAM policies alone govern access (disabling it would allow ACLs, but the policy shown still grants Bob access via IAM, so this does not explain his access).

Option E is wrong because the `roles/storage.objectCreator` role only allows creating objects, not reading them; read access requires the `roles/storage.objectViewer` role or equivalent.

120
MCQmedium

A company is using Cloud SQL for MySQL and wants to implement automated backups that are retained for 30 days. They also need point-in-time recovery. Which configuration should they use?

A.Enable database replication
B.Use Cloud Storage versioning
C.Enable automated backups with binary logging
D.Enable automated backups and set backup retention to 30
AnswerC

Binary logging enables point-in-time recovery.

Why this answer

Cloud SQL for MySQL requires automated backups to be enabled along with binary logging to support point-in-time recovery (PITR). Binary logs record all changes to the database, allowing you to restore to any specific timestamp within the backup retention period. Setting the retention to 30 days ensures backups are kept for the required duration, and binary logging enables the granular recovery needed for PITR.

Exam trap

The trap here is that candidates often assume enabling automated backups alone (Option D) is sufficient for point-in-time recovery, but they overlook the critical requirement of binary logging, which is the mechanism that enables granular time-based restores.

How to eliminate wrong answers

Option A is wrong because database replication (e.g., read replicas) provides high availability and read scaling, not automated backups or point-in-time recovery. Option B is wrong because Cloud Storage versioning applies to objects in buckets, not to Cloud SQL databases; it cannot restore database transactions or provide PITR. Option D is wrong because enabling automated backups with a 30-day retention alone only stores full backups; without binary logging, you cannot perform point-in-time recovery to a specific moment within that window.

121
Drag & Dropmedium

Drag and drop the steps to set up a Cloud SQL for PostgreSQL instance with high availability into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

HA configuration creates a primary and standby in different zones. Private IP requires VPC peering.

122
MCQhard

A company runs a batch processing workload on Compute Engine that processes financial transactions. The workload runs daily and must complete within a 4-hour window. The application reads input data from Cloud Storage, processes it, and writes output to another Cloud Storage bucket. The current implementation uses a single VM with a 500 GB persistent disk. Recently, the data volume has increased, and the job is now taking over 6 hours, exceeding the SLA. The team is tasked with redesigning the solution to be faster and more reliable. They want to minimize costs and operational overhead. The data is critical and must not be lost. Which approach should they take?

A.Use a managed instance group with a startup script that processes data, and use Cloud Pub/Sub to coordinate.
B.Increase the VM to a high-CPU machine type with a regional persistent disk for HA.
C.Deploy the processing logic in Cloud Functions and trigger from Cloud Storage events.
D.Use Cloud Dataflow with autoscaling to process the data in parallel.
AnswerD

Dataflow is a managed service that can scale horizontally, complete the job within the window, and provides fault tolerance.

Why this answer

Cloud Dataflow with autoscaling is the correct choice because it provides a fully managed, serverless service for parallel data processing that can automatically scale resources based on the volume of data. This directly addresses the need to complete the batch workload within the 4-hour SLA, as Dataflow can distribute the processing across many workers, significantly reducing execution time. It also ensures reliability and data durability through checkpointing and exactly-once processing semantics, meeting the critical data loss prevention requirement.

Exam trap

Google Cloud often tests the misconception that serverless functions like Cloud Functions can handle long-running batch jobs, but the key trap is ignoring the 9-minute timeout and lack of state management, leading candidates to choose Option C over the correct Dataflow solution.

How to eliminate wrong answers

Option A is wrong because using a managed instance group with a startup script and Cloud Pub/Sub adds unnecessary operational overhead and complexity for a batch workload; it does not natively provide parallel processing or autoscaling for data pipelines, and the coordination via Pub/Sub is not designed for batch processing of this nature. Option B is wrong because simply increasing the VM to a high-CPU machine type with a regional persistent disk does not address the parallelism needed to reduce processing time from 6+ hours to under 4 hours; it is a vertical scaling approach that has limits and does not improve reliability through distribution, and regional persistent disks provide high availability but not faster processing. Option C is wrong because Cloud Functions are designed for event-driven, short-lived executions with a maximum timeout of 9 minutes (540 seconds) and are not suitable for long-running batch processing jobs that can take hours; they also lack the ability to handle large-scale data shuffling and stateful processing required for financial transactions.

123
Multi-Selecthard

A company runs a stateful application on GKE using StatefulSets. Which THREE practices improve reliability?

Select 3 answers
A.Use headless services.
B.Use horizontal autoscaling based on disk usage.
C.Use volume snapshots for backup.
D.Use pod disruption budgets.
E.Use persistent volumes with reclaim policy Delete.
AnswersA, C, D

Provides stable network identities for stateful workloads.

Why this answer

A headless service (clusterIP: None) allows direct pod-to-pod communication without load balancing, which is essential for stateful applications like databases that require stable network identities. Each pod in a StatefulSet gets a unique DNS name (e.g., pod-0.service.namespace.svc.cluster.local), enabling reliable discovery and ordering for replication, leader election, and failover. This ensures that clients always reach the correct pod instance, improving overall reliability.

Exam trap

Google Cloud often tests the misconception that horizontal autoscaling can be based on any arbitrary metric like disk usage, but the HPA only supports CPU, memory, and custom/external metrics that must be exposed through the Metrics Server or a custom metrics adapter.

124
MCQhard

Your company runs a stateful web application on Compute Engine instances in a managed instance group (MIG) with autoscaling based on CPU utilization. The application maintains session state in memory on each instance. Recently, users have been experiencing session timeouts and data loss during scaling events. Additionally, the application's performance degrades under load due to frequent database queries for session data. You need to design a solution that ensures session persistence, improves performance, and minimizes application changes. The application is written in Java and uses Tomcat. Which of the following should you do?

A.Rewrite the application to be stateless by moving all state to the frontend using JWT tokens, eliminating the need for server-side sessions.
B.Deploy Cloud Memorystore for Redis as a session store, and configure Tomcat to use Redis-backed session persistence using the Redisson or Spring Session framework.
C.Configure the load balancer to use session affinity (sticky sessions) and increase the instance size to handle more sessions per instance.
D.Store session data in Cloud SQL using Spring Session JDBC, and configure the application to retrieve sessions from the database.
AnswerB

Redis provides fast, in-memory session storage accessible by all instances, ensuring persistence and performance with minimal code changes.

Why this answer

Option B is correct because it introduces an external, highly available, in-memory session store (Cloud Memorystore for Redis) that decouples session state from individual Compute Engine instances. This eliminates session loss during autoscaling events and reduces database load by serving session data from fast Redis memory, all while requiring minimal application changes via Tomcat's built-in session persistence or Spring Session integration.

Exam trap

The trap here is that candidates often choose session affinity (sticky sessions) thinking it solves session persistence, but it only routes traffic to the same instance and does not protect against session loss when that instance is terminated during autoscaling or maintenance.

How to eliminate wrong answers

Option A is wrong because rewriting the application to be stateless with JWT tokens moves session state to the frontend, which requires significant application changes and does not address the existing Tomcat session management; it also shifts security and token management complexity without solving the immediate session persistence issue. Option C is wrong because session affinity (sticky sessions) ties a user to a specific instance, which does not prevent session loss when that instance is terminated during autoscaling; increasing instance size only delays the problem and does not provide a shared, durable session store. Option D is wrong because storing session data in Cloud SQL (a relational database) introduces latency and contention for frequent session reads/writes, degrading performance under load, and it does not leverage the in-memory speed needed for session persistence; it also requires more application changes than using Redis with Tomcat.

125
MCQeasy

A startup is setting up a CI/CD pipeline for their web application using Cloud Build and Cloud Deploy. They have configured a Cloud Build trigger that executes on pushes to the main branch of a Cloud Source Repositories repository. The trigger runs a build step that builds a Docker image and pushes it to Artifact Registry, then creates a release using Cloud Deploy. The pipeline fails with an error message indicating that the Cloud Build service account does not have permission to create releases. What should the architect do to resolve the issue?

A.Add the Cloud Deploy Developer IAM role to the Cloud Build service account.
B.Verify that the cloudbuild.yaml file contains the correct steps.
C.Enable the Cloud Deploy API for the project.
D.Grant the Cloud Build service account the Cloud Run Admin role.
AnswerA

Correct: The Cloud Build service account needs roles/clouddeploy.developer to create releases.

Why this answer

The Cloud Build service account (typically the Compute Engine default service account or a custom service account) needs the Cloud Deploy Developer IAM role (roles/clouddeploy.developer) to create releases in Cloud Deploy. This role grants the necessary permissions, such as clouddeploy.releases.create, which are required for the Cloud Build trigger to successfully create a release after building and pushing the Docker image. Without this role, the pipeline fails with a permission error, making option A the correct resolution.

Exam trap

The trap here is that candidates might assume the Cloud Build service account has sufficient permissions by default (e.g., via the Editor role) or confuse Cloud Deploy permissions with Cloud Run permissions, leading them to select the Cloud Run Admin role instead of the specific Cloud Deploy Developer role.

How to eliminate wrong answers

Option B is wrong because the cloudbuild.yaml file's correctness is irrelevant to the permission error; the error explicitly states the Cloud Build service account lacks permissions, not that the build steps are misconfigured. Option C is wrong because if the Cloud Deploy API were not enabled, the error would typically indicate that the API is not available or that the resource is not found, not a specific permission denied error for creating releases. Option D is wrong because the Cloud Run Admin role (roles/run.admin) grants permissions for Cloud Run services, not for Cloud Deploy release creation; Cloud Deploy uses its own IAM roles (e.g., Cloud Deploy Developer) to manage releases and delivery pipelines.

126
MCQmedium

A company runs a Kubernetes cluster on GKE. They need to ensure that pods cannot access Google Cloud APIs unless explicitly allowed through a service account. Which GKE feature should they use?

A.Network Policies
B.Pod Security Policies
C.Cloud Audit Logs
D.Workload Identity
AnswerD

Maps Kubernetes SA to Google SA for fine-grained IAM.

Why this answer

Workload Identity allows each pod to have its own IAM service account, preventing use of the node's default service account. Pod Security Policies control container security contexts; Network Policies control pod traffic; Audit Logs are for tracking.

127
MCQhard

Refer to the exhibit. A Cloud Deployment Manager deployment fails with the error 'Resource 'my-firewall' already exists'. What is the most likely cause?

A.The user lacks IAM permissions to create firewall rules.
B.The network reference in the firewall rule is incorrect.
C.A firewall rule with the name 'my-firewall' already exists in the project.
D.The deployment does not include a 'delete' policy for existing resources.
AnswerC

The error clearly indicates the resource already exists.

Why this answer

Option C is correct because the error message 'Resource 'my-firewall' already exists' directly indicates that a firewall rule with the exact name 'my-firewall' is already present in the project. Cloud Deployment Manager creates resources by name, and if a resource with the same name exists (even if it was created outside the deployment), the deployment will fail unless the deployment is configured to adopt or manage that existing resource. The error is not about permissions, network references, or missing delete policies—it is a name collision.

Exam trap

Google Cloud often tests the distinction between resource name conflicts and other common errors (permissions, invalid references) to see if candidates can interpret the exact error message rather than guessing based on general troubleshooting.

How to eliminate wrong answers

Option A is wrong because an IAM permission issue would produce an error like 'Permission denied' or 'Required permission compute.firewalls.create', not a 'Resource already exists' error. Option B is wrong because an incorrect network reference would cause a validation error such as 'Invalid value for field 'network'' or a 400 Bad Request, not a resource name conflict. Option D is wrong because Deployment Manager does not require a 'delete' policy for existing resources; the 'delete' policy controls what happens to resources when the deployment is deleted, not whether a deployment can create a resource with a duplicate name.

128
Multi-Selecteasy

A company wants to enable a new DevOps team to have read-only access to logs in the default Cloud Logging bucket for their project, but prevent them from modifying log views or creating linked datasets in BigQuery. Which two IAM roles should be granted to the team?

Select 2 answers
A.roles/logging.viewAccessor
B.roles/logging.configWriter
C.roles/logging.admin
D.roles/logging.viewer
E.roles/bigquery.dataViewer
AnswersA, D

Allows viewing of log views without modifying them.

Why this answer

The roles/logging.viewAccessor role grants read-only access to log entries in Cloud Logging buckets, including the default bucket, without allowing modifications to log views or linked datasets. The roles/logging.viewer role provides broader read-only access to all Logging resources, including logs, but still prevents modifying log views or creating linked datasets in BigQuery. Together, these two roles satisfy the requirement of read-only log access while explicitly excluding permissions to alter log views or manage BigQuery linked datasets.

Exam trap

The trap here is that candidates often confuse roles/logging.viewer with roles/logging.viewAccessor, thinking they are interchangeable, but the exam tests the distinction that viewAccessor is bucket-scoped and viewer is project-scoped, and both are needed to cover the default bucket access without granting modification permissions.

129
MCQeasy

You need to store object data that is accessed infrequently (once a quarter) but must be retained for 10 years for compliance. Which storage class is the most cost-effective?

A.Archive
B.Standard
C.Nearline
D.Coldline
AnswerA

Archive is for data accessed less than once a year.

Why this answer

Archive storage class is the most cost-effective for data accessed once a quarter and retained for 10 years because it offers the lowest storage cost among Google Cloud Storage classes, designed for long-term preservation with retrieval times in minutes (typically under 15 minutes). The infrequent access pattern (once per quarter) aligns with Archive's trade-off of higher retrieval costs and minimum storage duration of 365 days, which is easily met by the 10-year retention requirement.

Exam trap

Google Cloud often tests the misconception that Coldline is the cheapest storage class, but Archive is actually the lowest-cost option for data with access intervals greater than 90 days and a retention period exceeding 365 days.

How to eliminate wrong answers

Option B (Standard) is wrong because it is optimized for frequently accessed data with no minimum storage duration and higher per-GB storage costs, making it unnecessarily expensive for quarterly access over 10 years. Option C (Nearline) is wrong because it is designed for data accessed less than once a month, with a 30-day minimum storage duration, but its storage cost is higher than Archive and it does not provide the lowest cost for data accessed only once a quarter. Option D (Coldline) is wrong because it is intended for data accessed less than once every 90 days, with a 90-day minimum storage duration, but its storage cost is still higher than Archive, which is the most cost-effective for data accessed as infrequently as once per quarter.

130
Multi-Selectmedium

Which TWO options are best practices for ensuring high availability of an application running on Google Kubernetes Engine (GKE)?

Select 2 answers
A.Use pod anti-affinity to spread pods across multiple zones.
B.Deploy all nodes in the same zone to simplify networking.
C.Configure managed instance groups with autohealing.
D.Prefer using preemptible VMs for cost savings.
E.Use a single zonal cluster to avoid cross-zone latency.
AnswersA, C

Spreading pods across zones improves resilience to zonal failures.

Why this answer

Option A is correct because pod anti-affinity ensures that pods from the same application are scheduled on different nodes across multiple zones, reducing the blast radius of a zonal failure. This is a key pattern for achieving high availability in GKE, as it prevents a single zone outage from taking down all replicas of your application.

Exam trap

The trap here is that candidates often confuse cost-optimization strategies (like preemptible VMs) with high-availability strategies, or they mistakenly believe that a single-zone cluster with autohealing is sufficient for zonal fault tolerance, when in fact you need multi-zone distribution and a regional cluster.

131
MCQhard

You are running a Kubernetes cluster in GKE with the default node pool configuration shown in the exhibit. Your application requires high disk I/O performance. You notice that the application is experiencing high latency for disk operations. What is the most likely cause?

A.Node auto-repair is causing disk contention.
B.The default node pool uses pd-standard disks, which have low IOPS.
C.The OAuth scopes restrict disk access, causing high latency.
D.The machine type n1-standard-2 does not have enough CPU.
AnswerB

pd-standard is HDD with lower IOPS; pd-ssd provides higher performance for high I/O workloads.

Why this answer

The default node pool in GKE uses pd-standard (standard persistent disk) which provides lower IOPS compared to pd-ssd. For applications requiring high disk I/O performance, pd-standard disks become a bottleneck, causing high latency. Upgrading to pd-ssd or using local SSDs would resolve this issue.

Exam trap

Google Cloud often tests the distinction between storage performance (disk type) and other operational features (auto-repair, scopes, machine type), leading candidates to confuse node health mechanisms or permission settings with actual I/O performance bottlenecks.

How to eliminate wrong answers

Option A is wrong because node auto-repair is a GKE feature that automatically repairs unhealthy nodes (e.g., if the node fails health checks), but it does not cause disk contention; it operates at the node level, not by interfering with disk I/O. Option C is wrong because OAuth scopes control API access permissions (e.g., read/write to Cloud Storage), not the performance characteristics of persistent disk operations; disk I/O latency is a storage performance issue, not an authorization issue. Option D is wrong because n1-standard-2 (2 vCPUs, 7.5 GB memory) is a general-purpose machine type that can handle moderate workloads; insufficient CPU would manifest as high CPU utilization or scheduling delays, not specifically high disk I/O latency.

132
MCQeasy

A company wants to optimize their network costs for inter-region traffic using Cloud VPN. What is the most cost-effective configuration?

A.Use partner interconnect.
B.Use Cloud NAT.
C.Use dedicated interconnect.
D.Use a single VPN tunnel with dynamic routing.
AnswerD

VPN tunnels are low-cost and dynamic routing (BGP) provides redundancy and optimal path selection.

Why this answer

Option D is correct because a single VPN tunnel with dynamic routing (BGP) is the most cost-effective configuration for inter-region traffic using Cloud VPN. Cloud VPN charges per tunnel-hour and per GB of data processed, so using a single tunnel minimizes the hourly cost while dynamic routing ensures automatic failover and route advertisement without needing multiple tunnels.

Exam trap

Google Cloud often tests the misconception that multiple VPN tunnels or dedicated interconnect solutions are required for inter-region traffic, when in fact a single VPN tunnel with dynamic routing is the most cost-effective option for Cloud VPN.

How to eliminate wrong answers

Option A is wrong because Partner Interconnect is a dedicated connectivity solution that incurs higher monthly costs and requires a service provider contract, making it less cost-effective than Cloud VPN for inter-region traffic. Option B is wrong because Cloud NAT is used for outbound internet access from private instances, not for inter-region traffic between VPC networks. Option C is wrong because Dedicated Interconnect provides high-bandwidth dedicated connections but is significantly more expensive than Cloud VPN and is designed for on-premises to VPC connectivity, not inter-region traffic.

133
MCQhard

Your company runs a critical multi-tier application: a global HTTP(S) load balancer, multiple regional managed instance groups (MIGs) for the web tier, and Cloud Spanner for the data tier. You need to design for zone-level and region-level failures. What architecture ensures the highest availability?

A.Use a global HTTP(S) load balancer with a single global MIG and a multi-region Cloud Spanner instance.
B.Use a global HTTP(S) load balancer with a single zonal MIG and Cloud Spanner single-region.
C.Use a global HTTP(S) load balancer with regional MIGs in multiple regions, each spanning zones, and a multi-region Cloud Spanner instance.
D.Use a regional HTTP(S) load balancer with a regional MIG and Cloud SQL with cross-region replication.
AnswerC

Regional MIGs across zones handle zone failures; multiple regions and multi-region Spanner handle region failures.

Why this answer

Option C is correct because it combines a global HTTP(S) load balancer (which can route traffic to healthy backends across regions), regional MIGs that span multiple zones within each region (providing zone-level redundancy), and a multi-region Cloud Spanner instance (which provides synchronous replication across regions for strong consistency and automatic failover). This architecture ensures that if an entire zone or region fails, traffic is automatically redirected to healthy backends in other zones/regions, and Spanner continues to serve reads and writes without manual intervention.

Exam trap

Google Cloud often tests the distinction between 'regional' and 'global' load balancers, and the trap here is that candidates might choose a regional load balancer (Option D) thinking it is sufficient, but it cannot route traffic across regions, making it unsuitable for region-level failure recovery.

How to eliminate wrong answers

Option A is wrong because a single global MIG (even if multi-zonal) is still deployed within a single region; if that entire region fails, the application becomes unavailable. Option B is wrong because a single zonal MIG cannot survive even a zone failure, and a single-region Cloud Spanner instance cannot survive a regional failure. Option D is wrong because a regional HTTP(S) load balancer cannot distribute traffic across multiple regions, and Cloud SQL with cross-region replication does not provide the same strong consistency and automatic failover as multi-region Spanner; also, Cloud SQL cross-region replication is asynchronous and may lose data during a failover.

134
MCQmedium

A company has a fleet of Compute Engine instances that need to access a Cloud Storage bucket. The security team requires that only instances in specific VPC networks can access the bucket, and that the data is encrypted in transit. How can this be achieved?

A.Use a Cloud Storage bucket with encryption at rest using CSEK.
B.Use Cloud Armor with IP allowlists and enable TLS for the bucket.
C.Create a VPC Service Controls perimeter with access levels, and require HTTPS for the bucket.
D.Use a Cloud Storage bucket with encryption at rest using CMEK.
AnswerC

VPC Service Controls restrict access by network, and HTTPS ensures encryption in transit.

Why this answer

VPC Service Controls with perimeter rules and usage of HTTPS for Cloud Storage ensures in-transit encryption. Option A provides encryption but not network restriction. Option C provides encryption but not network restriction.

Option D provides network restriction but not encryption in transit.

135
MCQhard

Refer to the exhibit. A security team wants to ensure that the service account 'sa-compute' can only be used by the instance admin role. Currently, any user with 'iam.serviceAccountUser' on the project can impersonate it. Which change should be made to the policy?

A.Add a condition to the 'roles/iam.serviceAccountUser' binding that restricts access to only the instance admin.
B.Modify the project policy to change the 'roles/iam.serviceAccountUser' member to 'user:developer@example.com'.
C.Remove the 'roles/iam.serviceAccountUser' binding from the project policy and add a resource-level policy on the service account granting 'roles/iam.serviceAccountUser' only to 'developer@example.com'.
D.Create a new custom role that combines 'roles/compute.instanceAdmin.v1' and 'roles/iam.serviceAccountUser' and assign it to 'developer@example.com'.
AnswerC

Correct: This restricts the ability to impersonate the service account to only the developer, not everyone with the project-level role.

Why this answer

The exhibit shows a project-level IAM policy. The service account 'sa-compute' is granted 'roles/iam.serviceAccountUser' at the project level, meaning any user with that role on the project can impersonate it. To restrict usage, the policy should grant 'roles/iam.serviceAccountUser' on the service account itself to only specific users, not at the project level.

The correct approach is to remove the project-level binding and add a resource-level policy on the service account.

136
MCQhard

A global application uses Cloud Spanner with a multi-region configuration. During a regional outage, some transactions are failing. What is the recommended approach to maintain write availability?

A.Implement application-level retry with exponential backoff
B.Use a single-region Spanner instance with a standby in a different zone
C.Configure Spanner with leader-based replication and rely on automatic failover
D.Manually failover to a different region using a script
AnswerC

Spanner automatically fails over to another region if the leader region fails.

Why this answer

Cloud Spanner's multi-region configuration uses leader-based replication, where each region has a leader for its read-write replicas. During a regional outage, Spanner automatically fails over the leader to another region, ensuring write availability without manual intervention. This is the recommended approach because it leverages Spanner's built-in synchronous replication and automatic failover to maintain consistency and availability.

Exam trap

The trap here is that candidates confuse Spanner's automatic failover with manual failover approaches used in traditional databases, or assume that application-level retry alone can compensate for a regional outage, ignoring Spanner's built-in leader election and synchronous replication.

How to eliminate wrong answers

Option A is wrong because application-level retry with exponential backoff is a general resilience pattern but does not address the root cause of write unavailability during a regional outage; Spanner's automatic failover is required to restore write capability. Option B is wrong because a single-region Spanner instance with a standby in a different zone does not provide multi-region write availability; it only offers zone-level redundancy within a single region, which cannot survive a full regional outage. Option D is wrong because manual failover using a script is not recommended for Spanner; the service handles failover automatically via its leader-based replication, and manual intervention can lead to inconsistencies or extended downtime.

137
MCQhard

A company has a production database running on Cloud SQL. They need to ensure high availability with automatic failover in the event of a zone outage. What should they do?

A.Export the database to Cloud Storage and import in another region.
B.Enable Cloud SQL High Availability (HA) configuration.
C.Create a cross-region read replica.
D.Configure automated backups.
AnswerB

HA provides automatic failover to standby in another zone.

Why this answer

Enabling Cloud SQL High Availability (HA) configuration provisions a standby instance in a different zone within the same region, using synchronous replication to ensure zero data loss. In the event of a zone outage, Cloud SQL automatically fails over to the standby instance, typically within 60 seconds, providing high availability without manual intervention.

Exam trap

Google Cloud often tests the distinction between high availability (automatic failover within a region) and disaster recovery (cross-region replication or backups), leading candidates to confuse read replicas or backups with HA solutions.

How to eliminate wrong answers

Option A is wrong because exporting to Cloud Storage and importing in another region is a manual, disaster recovery process that does not provide automatic failover and incurs significant downtime. Option C is wrong because a cross-region read replica is designed for read scaling and asynchronous replication, not for automatic failover; promoting a read replica requires manual steps and may result in data loss. Option D is wrong because automated backups protect against data corruption or accidental deletion but do not provide a standby instance for automatic failover during a zone outage.

138
MCQeasy

Refer to the exhibit. What is the effect of this IAM policy on a Cloud Storage bucket?

A.All users from example.com can view objects.
B.Only Alice can view objects.
C.Alice and all users from example.com can view objects.
D.Alice can view objects but not list buckets.
AnswerC

The bindings include both Alice and the entire domain.

Why this answer

The IAM policy grants the `storage.objectViewer` role to both the user `alice@example.com` and the domain `example.com`. This means Alice and all authenticated users from the example.com domain (i.e., any Google account ending in @example.com) can view objects in the bucket. The correct answer is C because the policy explicitly includes both principals.

Exam trap

Google Cloud often tests the additive nature of IAM policies — candidates mistakenly think a more specific user binding overrides a broader domain binding, but in reality, all granted permissions are combined, not mutually exclusive.

How to eliminate wrong answers

Option A is wrong because it ignores the specific user `alice@example.com`; the policy grants access to Alice as well, not just all users from example.com. Option B is wrong because the policy also grants access to all users from example.com, not only Alice. Option D is wrong because the `storage.objectViewer` role includes the permission to list objects (via `storage.objects.list`) and view objects (via `storage.objects.get`); it does not restrict listing buckets, and the policy does not mention bucket listing at all.

139
MCQhard

What is the networking mode of this GKE cluster?

A.VPC-native networking
B.Hybrid networking
C.Standard networking
D.Routes-based networking
E.Private cluster networking
AnswerA

Correct. IP aliases and secondary ranges indicate VPC-native mode.

Why this answer

A is correct because VPC-native networking is the default and recommended networking mode for GKE clusters, where the cluster uses alias IP ranges (RFC 6598) on the VPC network. This mode assigns pod IP addresses directly from the VPC subnet's secondary IP range, enabling native integration with VPC features like Cloud NAT, VPC Flow Logs, and firewall rules without requiring manual route management.

Exam trap

The trap here is that candidates confuse 'private cluster' (a cluster with internal-only node IPs) with a networking mode, when in fact private clusters can use either VPC-native or routes-based networking, and the question specifically asks for the networking mode.

How to eliminate wrong answers

Option B is wrong because hybrid networking refers to connecting on-premises networks to Google Cloud via Cloud VPN or Dedicated Interconnect, not to the internal networking mode of a GKE cluster. Option C is wrong because standard networking is not a recognized GKE networking mode; GKE uses either VPC-native or routes-based networking. Option D is wrong because routes-based networking is a legacy mode that relies on custom static routes and iptables for pod-to-pod communication, but it is not the default and is being phased out in favor of VPC-native.

Option E is wrong because private cluster networking is a cluster configuration (where nodes have internal-only IPs) that can be used with either VPC-native or routes-based networking; it is not a distinct networking mode.

140
MCQmedium

A company is migrating a stateful application to Google Cloud. The application requires persistent disks with low latency and high IOPS for database workloads. They plan to use Compute Engine instances with SSD persistent disks. However, the database performance is lower than expected. Which action should the company take to improve disk performance?

A.Change the persistent disk type to standard persistent disk.
B.Increase the disk size to increase baseline IOPS.
C.Use local SSDs with RAID 0 configuration for the database data.
D.Enable disk encryption to improve I/O throughput.
AnswerC

Local SSDs provide higher IOPS and lower latency than persistent disks. Using RAID 0 stripes data across multiple local SSDs for even higher performance.

Why this answer

Option C is correct because local SSDs provide the highest IOPS and lowest latency of any disk option on Compute Engine, and striping them with RAID 0 aggregates their performance. This directly addresses the need for high IOPS and low latency for database workloads, unlike persistent disks which have performance ceilings tied to disk size and instance limits.

Exam trap

The trap here is that candidates often assume increasing persistent disk size is the only way to improve IOPS, overlooking that local SSDs provide dramatically higher performance by being directly attached to the instance, and that RAID 0 is a common technique to aggregate their performance.

How to eliminate wrong answers

Option A is wrong because standard persistent disks have lower IOPS and higher latency than SSD persistent disks, which would worsen performance, not improve it. Option B is wrong because while increasing disk size does increase baseline IOPS for SSD persistent disks, the performance gain is limited by the persistent disk's architecture and does not match the raw throughput of local SSDs; it also increases cost without solving the latency issue. Option D is wrong because enabling disk encryption (e.g., using CMEK or CSEK) does not improve I/O throughput; encryption adds a small CPU overhead for encryption/decryption operations and can slightly reduce performance.

141
Multi-Selectmedium

Which TWO are recommended practices for securing a Kubernetes Engine (GKE) cluster?

Select 2 answers
A.Disable HTTP load balancing to reduce attack surface.
B.Enable Binary Authorization to ensure only signed container images are deployed.
C.Use the default Compute Engine service account for all GKE nodes.
D.Use Workload Identity to bind Kubernetes service accounts to IAM service accounts.
E.Enable basic authentication for easier access management.
AnswersB, D

Binary Authorization enforces deployment of trusted images.

Why this answer

Option B is correct because Binary Authorization enforces that only container images signed by trusted authorities (e.g., during a CI/CD pipeline) can be deployed to the cluster. This integrates with Google Cloud's Attestation Authority and ensures supply chain security by verifying signatures against a policy before admission.

Exam trap

Google Cloud often tests the misconception that disabling features like HTTP load balancing is a security best practice, when in reality it breaks functionality and security should be layered (e.g., using HTTPS, IAP, or network policies) rather than removing features.

142
MCQmedium

A company is deploying a web application on Google Kubernetes Engine. The application serves HTTP traffic and needs to scale based on CPU utilization. They also need to expose the application to the internet with a single global IP address. They create a Deployment with a HorizontalPodAutoscaler. However, the application is not receiving traffic from the internet. What should they do to expose the application correctly?

A.Create an Ingress resource with the GCE ingress controller.
B.Create a Service of type NodePort and use a firewall rule to allow traffic.
C.Create a Service of type ClusterIP and a load balancer manually.
D.Define a Network Endpoint Group (NEG) and attach it to a backend service.
AnswerA

The GCE ingress controller provisions an external HTTP(S) load balancer with a single anycast IP address, which meets the requirement for a global IP.

Why this answer

The correct approach is to create an Ingress resource with the GCE ingress controller because it provides a single global IP address via an HTTP(S) load balancer, which is required for internet-facing traffic. The HorizontalPodAutoscaler scales the Deployment based on CPU utilization, but the application must be exposed through a Service (typically of type NodePort or ClusterIP) that the Ingress routes to. The GCE ingress controller automatically provisions a global HTTP(S) load balancer, satisfying the requirement for a single global IP address.

Exam trap

The trap here is that candidates often confuse exposing a service with a LoadBalancer type (which gives a regional IP) versus using an Ingress (which gives a global IP), and they overlook that the question explicitly requires a single global IP address, which only the GCE ingress controller can provide.

How to eliminate wrong answers

Option B is wrong because a Service of type NodePort exposes the application on a high port on each node's IP, but it does not provide a single global IP address; it requires a firewall rule and manual load balancing, which is not scalable or global. Option C is wrong because a Service of type ClusterIP is only reachable within the cluster, not from the internet, and manually creating a load balancer would not integrate with GKE's managed ingress or provide a single global IP efficiently. Option D is wrong because a Network Endpoint Group (NEG) is a lower-level construct used for container-native load balancing, but it must be attached to a backend service of a load balancer; simply defining a NEG does not expose the application to the internet without an Ingress or a load balancer configuration.

143
Multi-Selectmedium

A company is migrating a critical database to Cloud SQL for MySQL. Which TWO actions ensure high availability?

Select 2 answers
A.Use read replicas in multiple zones.
B.Configure a failover replica with a different IP.
C.Enable automatic backups.
D.Enable high availability with a standby in another zone.
E.Enable multi-region failover.
AnswersC, D

Allows point-in-time recovery in case of data loss.

Why this answer

Option C is correct because enabling automatic backups in Cloud SQL for MySQL ensures that point-in-time recovery (PITR) and daily backups are automatically taken, which is a fundamental requirement for high availability. While backups alone do not provide instant failover, they are essential for data durability and recovery in case of a disaster, and the question asks for actions that 'ensure high availability'—backups are a core component of a high-availability strategy by enabling recovery from data loss or corruption.

Exam trap

The trap here is that candidates often confuse read replicas (which are for read scaling) with high-availability standby instances (which are for automatic failover), and they may also mistakenly think that multi-region failover is a built-in Cloud SQL feature when it is not supported for MySQL.

144
MCQmedium

A company is using Cloud Load Balancing to expose a web application. They want to protect against common web attacks like SQL injection and cross-site scripting. Which Google Cloud service should they configure?

A.VPC Firewall rules
B.Identity-Aware Proxy
C.Cloud Armor
D.Cloud CDN
AnswerC

Cloud Armor offers WAF capabilities including preconfigured rules for OWASP top 10.

Why this answer

Cloud Armor provides WAF rules that can detect and block SQLi and XSS. Cloud CDN is for caching; IAP is for authentication; VPC Firewall rules work at IP/port level.

145
MCQeasy

A company runs a customer-facing web application on Google Kubernetes Engine (GKE) in us-central1. The application uses a Cloud SQL for PostgreSQL database for user data. Recently, they noticed that during peak hours, the application response times increase significantly, and some requests time out. The team has already scaled the GKE nodepool to the maximum size, but the issue persists. Database CPU utilization is at 80%, and connections are near the max limit. The application uses connection pooling via PgBouncer running as a sidecar. The team suspects the database is the bottleneck. They need to improve performance with minimal cost impact. What should they do?

A.Enable Cloud SQL automatic storage increase.
B.Increase the max connections parameter on Cloud SQL.
C.Increase the Cloud SQL machine type to the next tier.
D.Add read replicas and split read/write traffic.
AnswerD

Read replicas distribute read load, reducing primary database CPU and connection usage.

Why this answer

Option D is correct because adding read replicas and splitting read/write traffic offloads read queries from the primary Cloud SQL instance, reducing CPU and connection pressure. PgBouncer as a sidecar can be configured to route read-only transactions to replicas, while writes go to the primary. This directly addresses the 80% CPU and max connections issue without increasing costs as much as scaling up the machine type.

Exam trap

Google Cloud often tests the misconception that scaling up (increasing machine type) is always the first step for database performance issues, when in fact read replicas with read/write splitting can be more cost-effective and scalable for read-heavy workloads.

How to eliminate wrong answers

Option A is wrong because enabling automatic storage increase only adds disk space, which does not reduce CPU utilization or connection limits; the bottleneck is compute and connections, not storage. Option B is wrong because increasing the max connections parameter would allow more concurrent connections but would further strain the already high CPU (80%) and could lead to resource contention or crashes; it does not solve the underlying compute bottleneck. Option C is wrong because increasing the Cloud SQL machine type to the next tier would improve performance but at a higher cost, and the question specifies minimal cost impact; read replicas provide a more cost-effective scaling approach by distributing read load.

146
Multi-Selectmedium

Which THREE of the following are best practices when using Deployment Manager to manage infrastructure? (Choose three.)

Select 3 answers
A.Use raw REST API calls in templates.
B.Use templates to define resources modularly.
C.Use only YAML configuration files.
D.Use imports to reference shared configurations.
E.Use composite types to bundle related resources.
AnswersB, D, E

Correct. Templates are reusable.

Why this answer

Using templates promotes reusability and modularity. Imports allow you to define common resources across deployments. Composite types bundle related resources into a single entity.

YAML files are basic, but using Python or Jinja allows dynamic generation. The three best practices are using templates, imports, and composite types.

147
MCQhard

A financial institution deploys a containerized application on GKE with Binary Authorization enabled. They want to ensure that only images signed by their internal CI/CD pipeline are deployed, and they also need to allow a break-glass procedure using a specific image from a curated registry. How should they configure Binary Authorization?

A.Create a policy with an evaluation mode to allow all images, but use a whitelist of approved registries.
B.Use Cloud Run instead, which has built-in image verification.
C.Create a policy with an evaluation mode to require all images to be signed, and configure a Cloud Build attestor.
D.Create a policy with a default deny rule, and add a custom rule to allow images from the curated registry.
AnswerD

Default deny ensures only signed images are allowed, except those from the curated registry break-glass.

Why this answer

Binary Authorization allows a default deny rule with an exception for the curated registry. Option A does not allow break-glass. Option B would allow all unsigned images.

Option D is not a valid attestor.

148
MCQeasy

A company is migrating a monolithic application to Google Cloud and wants to minimize operational overhead for scaling. Which service should they use?

A.Google Kubernetes Engine
B.Cloud Run
C.Compute Engine with managed instance groups
D.App Engine Standard
AnswerD

Fully managed platform with automatic scaling, minimal operational overhead.

Why this answer

App Engine Standard is the correct choice because it provides a fully managed, autoscaling platform that abstracts away all infrastructure management, including server configuration, scaling, and load balancing. This minimizes operational overhead for scaling a monolithic application by automatically adjusting resources based on traffic without any manual intervention or cluster management.

Exam trap

The trap here is that candidates often choose Google Kubernetes Engine or Cloud Run because they are modern container-based services, but the question emphasizes minimizing operational overhead for a monolithic application, where App Engine Standard's fully managed platform requires the least manual configuration and ongoing management.

How to eliminate wrong answers

Option A is wrong because Google Kubernetes Engine requires managing a Kubernetes cluster, including node pools, pod autoscaling, and cluster upgrades, which adds operational overhead compared to a fully managed platform. Option B is wrong because Cloud Run is designed for containerized stateless applications and may require refactoring a monolithic application into containers, and it has a request timeout limit of 60 minutes (or up to 60 minutes with async processing), which can be restrictive for long-running monolithic workloads. Option C is wrong because Compute Engine with managed instance groups still requires managing virtual machine images, instance templates, health checks, and autoscaling policies, and does not provide the same level of abstraction as a fully managed platform like App Engine.

149
MCQmedium

A Cloud Function fails to connect to a Cloud SQL instance. The Cloud SQL instance has a private IP. What should the developer check?

A.Ensure the Cloud SQL Proxy is running and configured.
B.Verify the Cloud Function's network settings.
C.Ensure either Cloud SQL Proxy is running or a VPC connector is configured, and IAM permissions are correct.
D.Configure a VPC connector for the Cloud Function.
AnswerC

Both connectivity and authorization must be in place.

Why this answer

Option C is correct because a Cloud Function with a private IP Cloud SQL instance requires either the Cloud SQL Proxy (which uses the Cloud SQL Auth proxy to establish an encrypted connection via the public IP, but if the instance has only a private IP, the proxy must be run within the same VPC) or a VPC connector to enable private networking. Additionally, proper IAM permissions (e.g., Cloud SQL Client role) are necessary for the proxy or connector to authenticate and connect. Without both the network path and IAM permissions, the connection will fail.

Exam trap

Google Cloud often tests the misconception that either a VPC connector or the Cloud SQL Proxy alone is sufficient, when in fact both the network path (via VPC connector or proxy in the VPC) and correct IAM permissions are required for private IP connectivity.

How to eliminate wrong answers

Option A is wrong because simply ensuring the Cloud SQL Proxy is running and configured is insufficient if the Cloud Function is not in the same VPC or lacks a VPC connector; the proxy alone cannot reach a private IP Cloud SQL instance from outside the VPC. Option B is wrong because verifying the Cloud Function's network settings is too vague and does not address the specific requirement of establishing a private network path via a VPC connector or proxy within the VPC. Option D is wrong because configuring a VPC connector alone is not enough; the Cloud SQL Proxy must also be running (or the connector must be paired with proper IAM permissions and the Cloud SQL Auth proxy) to handle authentication and encryption, and IAM permissions must be correct.

150
MCQeasy

What is the effective access of the service account sa@project.iam.gserviceaccount.com to the bucket?

A.Full admin access to objects
B.Owner access
C.Read-only access
D.No access
AnswerA

objectAdmin provides full control over objects.

Why this answer

The service account is a member of roles/storage.objectAdmin, which grants full control (read, write, delete) over objects. It is not in the viewer or owner roles.

Page 1

Page 2 of 7

Page 3

All pages