Google Professional Cloud Architect (PCA) — Questions 151225

509 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQhard

What is the most likely reason the NetworkPolicy is not taking effect?

A.The developer used the networking.k8s.io/v1 API version instead of the Calico CRD projectcalico.org/v3.
B.The cluster has a global network policy that overrides per-namespace policies.
C.The pod labels do not match because of a capitalization mismatch.
D.The NetworkPolicy is missing a spec.podSelector.matchLabels entry.
AnswerA

GKE with Calico expects Calico-specific CRDs for full functionality.

Why this answer

The NetworkPolicy is not taking effect because the developer used the standard Kubernetes API version `networking.k8s.io/v1`, which defines a different schema and behavior than the Calico CRD `projectcalico.org/v3`. Calico NetworkPolicies support advanced features like order-of-precedence, global policies, and non-IP match criteria that are not available in the native Kubernetes NetworkPolicy API. When a Calico-specific policy is defined using the wrong API version, the cluster's policy engine (Calico) ignores it, resulting in no enforcement.

Exam trap

Google Cloud often tests the distinction between native Kubernetes NetworkPolicies and CNI-specific CRDs (like Calico), trapping candidates who assume all NetworkPolicies use the same API version and ignore the need to match the policy engine's schema.

How to eliminate wrong answers

Option B is wrong because global network policies in Calico (or Kubernetes) do not override per-namespace policies; instead, they are evaluated with a specific precedence order, and a correctly defined per-namespace policy would still take effect unless explicitly denied by a higher-priority global policy. Option C is wrong because label matching in Kubernetes is case-sensitive, but a capitalization mismatch would cause the policy to not match pods, not prevent the policy from being recognized or taking effect at all; the question asks for the most likely reason the policy is not taking effect, and the API version mismatch is a more fundamental issue. Option D is wrong because a NetworkPolicy can use `spec.podSelector` without `matchLabels` (e.g., using `matchExpressions`), and omitting `matchLabels` entirely is valid if the selector is empty (matches all pods); the absence of `matchLabels` does not prevent the policy from taking effect.

152
Multi-Selectmedium

A company needs to connect two VPC networks in different Google Cloud regions. The VPCs are in separate projects under the same organization. The connection must use private IP addresses and support high throughput. Which TWO options meet these requirements? (Choose 2.)

Select 2 answers
A.HA VPN Gateway
B.VPC Network Peering
C.Cloud NAT
D.Cloud VPN (HA VPN Classic)
E.Shared VPC
AnswersB, D

Correct: Cross-region and cross-project VPC peering is supported, using private IPs with high throughput.

Why this answer

VPC Network Peering works across regions and projects within the same organization, using private IPs and supporting high throughput. Cloud VPN also works across regions and projects, providing encrypted private connectivity. Shared VPC is for sharing subnets within a project, not for connecting separate projects.

Cloud NAT is for outbound internet access. HA VPN Gateway is a component of Cloud VPN, not a standalone connection method.

153
MCQmedium

A company uses Terraform to manage Google Cloud infrastructure. They want to store the Terraform state file in a remote backend with state locking to prevent concurrent modifications. Which Google Cloud service supports this natively?

A.Cloud Firestore
B.Cloud Spanner
C.Bigtable
D.Cloud Storage
E.Cloud SQL
AnswerD

Correct. Cloud Storage is the native Terraform backend for GCP.

Why this answer

Google Cloud Storage (GCS) is the only option that natively supports Terraform's remote state backend with state locking. Terraform uses GCS's object versioning and a write-lock mechanism via a separate lock file (e.g., `default.tflock`) stored in the same bucket, leveraging GCS's strong consistency for atomic operations. This prevents concurrent `terraform apply` commands from corrupting the state.

Exam trap

Google Cloud often tests the misconception that any database with locking (like Cloud Spanner or Cloud SQL) can serve as a Terraform backend, but the exam requires knowing that only services with a native Terraform backend implementation—specifically Cloud Storage—are supported for state locking.

How to eliminate wrong answers

Option A is wrong because Cloud Firestore is a NoSQL document database designed for mobile/web apps, not for Terraform state locking; it lacks native Terraform backend support. Option B is wrong because Cloud Spanner is a globally distributed relational database with strong consistency, but Terraform does not provide a native Spanner backend for state storage. Option C is wrong because Bigtable is a wide-column NoSQL database optimized for high-throughput analytics, not for Terraform state management; it has no native Terraform backend integration.

Option E is wrong because Cloud SQL is a managed relational database service (MySQL/PostgreSQL/SQL Server) that Terraform does not support as a native state backend; it would require custom tooling for locking.

154
MCQmedium

A company is migrating its on-premises application to Google Cloud. The application requires low-latency access to a shared filesystem that can be mounted by multiple Compute Engine instances across different zones. Which storage solution should they use?

A.Provision a Filestore instance and mount it on the instances.
B.Create a Persistent Disk and attach it to all instances.
C.Attach Local SSD to each instance and replicate data between them.
D.Use Cloud Storage FUSE to mount a bucket on each instance.
AnswerA

Filestore provides a managed NFS filesystem that can be mounted by multiple VMs across zones for low-latency shared access.

Why this answer

Filestore provides a fully managed, NFS-based shared filesystem that can be mounted by multiple Compute Engine instances across different zones with low-latency access. It supports the required multi-writer, multi-mount scenario natively, making it the ideal choice for shared storage in a zonal-distributed architecture.

Exam trap

The trap here is that candidates often confuse Persistent Disk's multi-attach capability (which is read-only only) with a writable shared filesystem, or assume Cloud Storage FUSE can replace a POSIX-compliant NFS share for low-latency workloads.

How to eliminate wrong answers

Option B is wrong because a Persistent Disk can only be attached to a single instance in read-write mode, or to multiple instances in read-only mode, so it cannot serve as a writable shared filesystem across multiple instances. Option C is wrong because Local SSDs are ephemeral and tied to a single instance; replicating data between them manually introduces complexity, latency, and consistency issues, and does not provide a shared filesystem. Option D is wrong because Cloud Storage FUSE presents an object store as a filesystem, which does not offer POSIX-compliant locking, low-latency metadata operations, or consistent shared-write semantics required for a shared filesystem.

155
Multi-Selecthard

Which TWO of the following are valid methods to control access to Google Cloud resources using Identity and Access Management (IAM)?

Select 2 answers
A.Attach an IAM policy to an organization
B.Attach an IAM policy to a project
C.Attach an IAM policy to a user
D.Assign an IAM role directly to a user
E.Attach an IAM policy to a service account
AnswersA, B

IAM policies can be attached at the organization level.

Why this answer

Attaching an IAM policy to an organization (option A) is a valid method because it allows you to set organization-wide policies that apply to all projects and resources within that organization. This is a fundamental feature of Google Cloud's hierarchical resource management, where policies can be inherited from the organization node down to folders and projects, enabling centralized control over access.

Exam trap

Google Cloud often tests the distinction between attaching a policy to a resource versus assigning a role to an identity, where candidates mistakenly think that attaching a policy to a user or service account is valid, when in fact policies are always attached to resources, not to identities.

156
Multi-Selectmedium

Which TWO practices improve the security of a Cloud Run service?

Select 2 answers
A.Enable Cloud Armor for the service.
B.Use Identity-Aware Proxy (IAP) to authenticate users.
C.Run the service in a VPC with firewall rules.
D.Use a canary deployment strategy.
E.Require client-side TLS certificates.
AnswersA, B

Cloud Armor provides WAF and DDoS protection.

Why this answer

Use of Cloud Armor for DDoS protection and Identity-Aware Proxy for authentication are correct. Option C is for containers not specific to security; Option D is for infrastructure; Option E is for end-to-end encryption but Cloud Run already uses HTTPS.

157
MCQhard

An organization wants to enforce a policy that prohibits the creation of Cloud Storage buckets with uniform bucket-level access disabled. What should they use?

A.Organization policy with a list constraint.
B.IAM roles with custom permissions to deny bucket creation.
C.Cloud Audit Logs to monitor bucket creation.
D.Cloud Armor security policies.
AnswerA

Organization policies can enforce configuration constraints on resources.

Why this answer

Option C is correct: Organization policies can enforce constraints like constraints/storage.uniformBucketLevelAccess. Option A (IAM) does not prevent bucket creation with specific settings. Option B (Cloud Audit Logs) is for logging.

Option D (Cloud Armor) is for security policies at the edge.

158
Multi-Selectmedium

A company stores large amounts of data in Cloud Storage and wants to reduce costs. Which two actions should they take? (Choose two.)

Select 2 answers
A.Disable object versioning to prevent multiple versions.
B.Enable object versioning and configure lifecycle rules to delete noncurrent versions after 90 days.
C.Add bucket labels to track cost by department.
D.Configure lifecycle management to transition objects to Nearline or Coldline storage classes after 30 days.
E.Change the default storage class to Standard for all buckets.
AnswersB, D

Removes outdated versions, saving storage.

Why this answer

Option B is correct because enabling object versioning and configuring lifecycle rules to delete noncurrent versions after 90 days directly reduces storage costs by automatically removing older object versions that are no longer needed. Option D is correct because transitioning objects to Nearline or Coldline storage classes after 30 days leverages lower-cost storage tiers for infrequently accessed data, aligning cost with access patterns.

Exam trap

Google Cloud often tests the distinction between cost allocation (labels) and direct cost reduction (lifecycle rules), leading candidates to mistakenly choose labeling as a cost-saving measure.

159
MCQeasy

A user runs the gsutil command shown in the exhibit and gets an AccessDenied error. The user is not authenticated with gcloud. What should the user do first?

A.Create a service account and download a JSON key.
B.Grant public write access to the bucket.
C.Use gcloud config set project my-project to set the project.
D.Run gcloud auth login to authenticate with their Google account.
AnswerD

This will authenticate the user and allow gsutil to use their credentials.

Why this answer

The error occurs because the user is not authenticated with gcloud. The gsutil command requires valid authentication credentials to access Google Cloud Storage resources. Running `gcloud auth login` initiates the OAuth 2.0 flow, which authenticates the user with their Google account and generates the access token that gsutil uses for API calls.

This is the prerequisite step before any gsutil operation can succeed.

Exam trap

Google Cloud often tests the distinction between authentication (who you are) and authorization (what you can do); the trap here is that candidates may confuse the AccessDenied error with a bucket permission issue and jump to granting public access or setting a project, when the root cause is simply missing authentication credentials.

How to eliminate wrong answers

Option A is wrong because creating a service account and downloading a JSON key is an alternative authentication method, but it is not the first step; the user must first authenticate with gcloud (either via user account or service account) before gsutil can use those credentials. Option B is wrong because granting public write access to the bucket would bypass authentication entirely, which is a severe security misconfiguration and not a solution for an unauthenticated user; the error is about missing credentials, not bucket permissions. Option C is wrong because `gcloud config set project my-project` only sets the default project for gcloud commands but does not authenticate the user; without authentication, gsutil still cannot access any bucket regardless of the project setting.

160
MCQhard

A financial services company is designing a multi-region application on Google Kubernetes Engine (GKE) for high availability. They need to serve user requests from the closest region and automatically failover if a region becomes unavailable. Which architecture should they use?

A.Use a global external HTTP(S) load balancer with a single backend service pointing to one regional cluster.
B.Use Cloud CDN in front of a single regional GKE cluster to cache content.
C.Use a single regional GKE cluster with auto-scaling across zones.
D.Deploy GKE clusters in multiple regions and use a multicluster ingress with an external HTTP(S) load balancer set up with the global external backend.
AnswerD

This architecture uses the Global External HTTP(S) Load Balancer with multicluster ingress to direct traffic to the nearest healthy cluster, providing geographic load balancing and failover.

Why this answer

Option D is correct because deploying GKE clusters in multiple regions and using a multicluster ingress with a global external HTTP(S) load balancer enables traffic routing to the closest healthy backend cluster based on latency or geography, and automatically fails over to another region if one becomes unavailable. The global external backend configuration allows the load balancer to distribute traffic across multiple regional GKE clusters, providing both proximity-based routing and high availability.

Exam trap

The trap here is that candidates often confuse zonal high availability (auto-scaling across zones within one region) with regional high availability (multi-region failover), and overlook that a global load balancer with multiple regional backends is required for true multi-region traffic steering and failover.

How to eliminate wrong answers

Option A is wrong because a single backend service pointing to one regional cluster cannot provide multi-region failover or route users to the closest region; it only supports a single region. Option B is wrong because Cloud CDN caches content but does not provide active failover or multi-region traffic steering; it only reduces latency for cached content from a single origin. Option C is wrong because a single regional GKE cluster with auto-scaling across zones provides zonal high availability within one region but cannot serve requests from the closest region or failover to another region if the entire region becomes unavailable.

161
MCQmedium

Your company has a production environment on Google Cloud that includes Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. Security policies require that all data at rest is encrypted with CMEK, and audit logs must be retained for 7 years. The current configuration uses Google-managed encryption keys. You have been asked to transition to CMEK for all resources. After enabling CMEK for new resources, you discover that the existing resources are not re-encrypted. To comply with the policy, you need to re-encrypt the existing data. What should you do?

A.Enable CMEK on the existing resources by modifying the resource's encryption settings. This will automatically re-encrypt the data.
B.Delete the existing resources and recreate them with CMEK enabled. Then restore data from backups.
C.Enable Data Loss Prevention (DLP) API to scan and re-encrypt data automatically.
D.For Compute Engine: create new disks with CMEK, attach them, and copy data. For Cloud Storage: rewrite objects with CMEK. For BigQuery: copy datasets to new datasets with CMEK.
AnswerD

This correctly re-encrypts existing data for each service.

Why this answer

Option D is correct because CMEK is applied at the resource creation level for Compute Engine disks, Cloud Storage buckets, and BigQuery datasets. Existing resources encrypted with Google-managed keys cannot be re-encrypted in place; you must create new resources with CMEK enabled and migrate the data. For Compute Engine, this means creating new disks with CMEK, attaching them, and copying data.

For Cloud Storage, you rewrite objects to a new bucket or use the rewrite API with CMEK. For BigQuery, you copy datasets to new datasets that have CMEK configured.

Exam trap

Google Cloud often tests the misconception that you can simply toggle encryption settings on existing resources to apply CMEK, when in reality CMEK must be configured at creation time and data must be migrated to new resources.

How to eliminate wrong answers

Option A is wrong because modifying encryption settings on existing resources does not trigger automatic re-encryption; CMEK must be specified at creation time for disks, buckets, and datasets, and there is no in-place re-encryption mechanism. Option B is wrong because deleting and recreating resources from backups would require the backups themselves to be encrypted with CMEK, and this approach is unnecessarily destructive and risks data loss; a more controlled migration is preferred. Option C is wrong because the DLP API is designed for content inspection and de-identification, not for re-encrypting data at rest with CMEK; it cannot change the underlying encryption key of a Cloud Storage object or BigQuery table.

162
MCQhard

A large enterprise is migrating their on-premises data center to Google Cloud. They have hundreds of VMs and need to minimize network latency between on-prem and cloud during migration. They have high bandwidth requirements. Which connectivity solution should they use?

A.Cloud Interconnect
B.Cloud VPN
C.Cloud NAT
D.Peering with Google
AnswerA

Dedicated connection with high bandwidth and low latency.

Why this answer

Cloud Interconnect provides a dedicated, high-bandwidth, low-latency connection between on-premises data centers and Google Cloud, bypassing the public internet. This is ideal for large-scale migrations with hundreds of VMs where minimizing latency and ensuring consistent throughput is critical.

Exam trap

The trap here is that candidates often confuse Cloud VPN with Cloud Interconnect, assuming VPN is sufficient for high-bandwidth, low-latency needs, but VPN's reliance on the public internet introduces jitter and bandwidth constraints that make it unsuitable for large-scale migrations.

How to eliminate wrong answers

Option B (Cloud VPN) is wrong because it uses IPSec tunnels over the public internet, which introduces variable latency, lower throughput limits, and no SLA for bandwidth, making it unsuitable for high-bandwidth, latency-sensitive migrations. Option C (Cloud NAT) is wrong because it is used to enable outbound internet access for private VMs without public IPs, not for establishing a private, low-latency connection between on-prem and cloud. Option D (Peering with Google) is wrong because it provides connectivity to Google services (e.g., YouTube, Gmail) via public peering points, not a dedicated private connection to a specific VPC network, and lacks SLA-backed bandwidth and latency guarantees required for enterprise migration.

163
MCQmedium

A company uses Cloud SQL for PostgreSQL for their transactional database. They need a disaster recovery solution that provides cross-region failover with a recovery point objective (RPO) of less than 1 minute. Which solution meets these requirements?

A.Create a cross-region read replica and promote it during failover
B.Use Cloud Spanner for global strong consistency
C.Use a Cloud SQL for PostgreSQL instance with multiple zones
D.Take daily automated backups and restore in another region
AnswerA

Cross-region read replicas replicate data asynchronously with low RPO.

Why this answer

A cross-region read replica in Cloud SQL for PostgreSQL can be promoted to a standalone instance during a disaster, enabling failover to another region. The replica uses PostgreSQL's native streaming replication, which typically provides an RPO of less than 1 minute because changes are replicated asynchronously but with very low latency. This meets the stated RPO requirement without needing to redesign the application for global consistency.

Exam trap

Google Cloud often tests the distinction between high availability (within a region) and disaster recovery (cross-region), and the trap here is that candidates confuse multi-zone (regional) instances with cross-region failover, or assume that automated backups can meet a sub-minute RPO.

How to eliminate wrong answers

Option B is wrong because Cloud Spanner provides global strong consistency and automatic failover, but it is a different database service, not a solution for an existing Cloud SQL for PostgreSQL instance; migrating to Spanner would require significant application changes and is not a direct DR solution for Cloud SQL. Option C is wrong because a multi-zone (regional) Cloud SQL instance provides high availability within a single region, not cross-region failover, so it cannot protect against a regional outage. Option D is wrong because daily automated backups have an RPO of up to 24 hours (or the backup interval), which far exceeds the requirement of less than 1 minute; restoring from a backup also takes significant time, failing the recovery time objective.

164
MCQhard

A security team wants to audit all IAM role assignments in an organization. They need a historical record of changes. Which tool should they use?

A.Cloud Asset Inventory
B.Access Transparency
C.Cloud Audit Logs
D.Security Command Center
AnswerC

Cloud Audit Logs capture historical IAM policy changes for an organization.

Why this answer

Cloud Audit Logs (specifically Admin Activity audit logs) record all API calls that modify IAM policies, including role assignments. These logs are immutable and retained for the default retention period (400 days for Admin Activity logs), providing a historical record of changes. Cloud Asset Inventory (A) shows the current state but not historical changes, Access Transparency (B) logs Google staff access to your data, and Security Command Center (D) provides security findings and posture, not a change history.

Exam trap

Google Cloud often tests the distinction between tools that show current state (Cloud Asset Inventory) versus tools that record historical changes (Cloud Audit Logs), leading candidates to pick Cloud Asset Inventory because it 'audits' resources, but it does not provide a change history.

How to eliminate wrong answers

Option A is wrong because Cloud Asset Inventory provides a snapshot of current IAM role assignments and other resources, but it does not maintain a historical record of changes; it lacks the audit trail capability. Option B is wrong because Access Transparency logs actions performed by Google personnel when accessing your data, not IAM role assignment changes made by your own users or services. Option D is wrong because Security Command Center is a security and risk management platform that aggregates findings and vulnerabilities, but it does not natively record a chronological history of IAM policy modifications.

165
MCQeasy

A company wants to reduce costs for a Cloud Storage bucket that stores infrequently accessed archival data. The data is accessed roughly once a quarter. Which storage class should they use?

A.Archive storage class.
B.Nearline storage class.
C.Standard storage class.
D.Coldline storage class.
AnswerA

Archive is for data accessed less than once a year.

Why this answer

The Archive storage class is the correct choice because it is designed for data accessed less than once a year, making it ideal for quarterly-accessed archival data. It offers the lowest storage cost among Google Cloud Storage classes, though it incurs higher retrieval costs and a minimum 365-day storage duration, which aligns with infrequent access patterns.

Exam trap

Google Cloud often tests the misconception that 'archival' automatically means Coldline, but the key differentiator is the access frequency threshold: Archive is for less than once a year, while Coldline is for less than once a quarter, so quarterly access fits Coldline's threshold but Archive is more cost-effective for truly infrequent data.

How to eliminate wrong answers

Option B (Nearline storage class) is wrong because it is optimized for data accessed less than once a month, not once a quarter, and has a 30-day minimum storage duration, leading to unnecessary cost for quarterly access. Option C (Standard storage class) is wrong because it is for frequently accessed data with no minimum storage duration, resulting in higher storage costs for archival data. Option D (Coldline storage class) is wrong because it is designed for data accessed less than once every 90 days, which is more frequent than quarterly access, and has a 90-day minimum storage duration, making it less cost-effective than Archive for this use case.

166
MCQhard

An organization's security policy requires that all Compute Engine VMs have Shielded VM features enabled. How can this be enforced at the organization level?

A.Create an Organization Policy with the constraint compute.requireShieldedVm.
B.Enable Cloud Audit Logs and review VM creations.
C.Use VPC Service Controls to restrict VM creation.
D.Assign a custom IAM role that only allows creation of Shielded VMs.
E.Use Deployment Manager templates that include Shielded VM.
AnswerA

Correct. This enforces Shielded VM on all new VMs.

Why this answer

Option A is correct because the Organization Policy constraint `compute.requireShieldedVm` is a Google Cloud-native mechanism that enforces Shielded VM features at the organization, folder, or project level. When this constraint is applied, any Compute Engine VM creation request that does not include Shielded VM settings (such as Secure Boot, vTPM, and Integrity Monitoring) is denied by the Organization Policy service, ensuring compliance without relying on user behavior or manual review.

Exam trap

Google Cloud often tests the distinction between enforcement mechanisms (like Organization Policies) and detection or automation tools (like Audit Logs or Deployment Manager), leading candidates to choose options that only provide visibility or templates rather than actual policy enforcement.

How to eliminate wrong answers

Option B is wrong because Cloud Audit Logs only provide visibility into VM creation events; they do not prevent non-compliant VMs from being created, so they cannot enforce the policy. Option C is wrong because VPC Service Controls are designed to protect data exfiltration and control access to Google Cloud APIs, not to enforce VM-level security features like Shielded VM. Option D is wrong because custom IAM roles cannot restrict specific VM configuration parameters (e.g., Shielded VM settings); IAM controls who can create VMs, not how they are configured.

Option E is wrong because Deployment Manager templates can include Shielded VM settings, but they are not enforceable at the organization level—users can still create VMs outside of Deployment Manager without those settings.

167
Multi-Selecteasy

A company runs a containerized application on Cloud Run. Which TWO actions will most improve the reliability of the service?

Select 2 answers
A.Enable CPU always allocated
B.Disable concurrency
C.Deploy the service in multiple regions
D.Set min instances to at least 1
E.Use Cloud CDN
AnswersC, D

Multi-region deployment provides high availability and failover if one region becomes unavailable.

Why this answer

Setting min instances > 0 prevents cold starts, ensuring consistent performance. Deploying in multiple regions provides regional failover. Enabling CPU always allocated is for background tasks, not reliability.

Disabling concurrency limits throughput. Cloud CDN is for static content, not compute reliability.

168
Multi-Selecthard

Which THREE steps can reduce processing costs in a Dataflow streaming pipeline? (Choose three.)

Select 3 answers
A.Use side inputs instead of a cross join.
B.Use a batch pipeline for non-critical data.
C.Minimize the use of GroupByKey in streaming mode.
D.Use a custom runner.
E.Increase the number of workers.
AnswersA, B, C

Side inputs are more efficient than cross joins, reducing processing cost.

Why this answer

Option A is correct because side inputs allow you to broadcast a static or slowly-changing dataset to all workers, avoiding the expensive shuffle and per-element processing required by a cross join. In Dataflow, cross joins in streaming mode require stateful processing and can lead to high data amplification, whereas side inputs are distributed efficiently via the streaming engine. This reduces both CPU and memory costs by eliminating redundant data movement.

Exam trap

Google Cloud often tests the misconception that scaling out (increasing workers) always reduces costs, when in fact it increases costs unless the pipeline is bottlenecked; the trap is to confuse throughput optimization with cost reduction.

169
MCQhard

A company has Compute Engine instances that need to access the internet for updates but should not be reachable from the internet. They also need to access Google APIs and services like Cloud Storage. Which configuration meets these requirements?

A.Use Cloud NAT for outbound internet and enable Private Google Access on the subnet.
B.Assign external IPs to all instances and configure firewall rules to block inbound traffic.
C.Configure a VPN tunnel to an on-premises proxy server for internet access.
D.Use Cloud NAT for outbound internet and use external IPs for Google API access.
AnswerA

Cloud NAT allows outbound internet without external IPs; Private Google Access allows access to Google APIs via internal IPs.

Why this answer

Cloud NAT provides outbound internet connectivity for instances without external IPs, while Private Google Access allows those same instances to reach Google APIs and services (like Cloud Storage) using internal IPs via the subnet's default route. This combination ensures instances can initiate outbound connections to the internet and Google services but remain unreachable from the internet, meeting both security and functional requirements.

Exam trap

The trap here is that candidates often think Cloud NAT alone is sufficient for Google API access, but they miss that Private Google Access must be explicitly enabled on the subnet for instances without external IPs to reach Google APIs and services.

How to eliminate wrong answers

Option B is wrong because assigning external IPs makes instances directly reachable from the internet, even with firewall rules blocking inbound traffic; the external IP itself exposes the instance to potential attacks (e.g., DDoS) and violates the requirement that instances should not be reachable from the internet. Option C is wrong because a VPN tunnel to an on-premises proxy server adds unnecessary complexity, latency, and dependency on on-premises infrastructure; it does not directly address the need for Google API access, which is better served by Private Google Access. Option D is wrong because using external IPs for Google API access defeats the purpose of Cloud NAT; instances with external IPs are still reachable from the internet (even if only for API calls), and the requirement explicitly states instances should not be reachable from the internet.

170
MCQmedium

A Cloud Run service frequently fails with 502 errors when making requests to a backend service running on Compute Engine. The two services are in the same VPC network. The Cloud Run service is configured with a VPC connector. What is the most likely cause?

A.The Cloud Run service needs to be peered with the VPC using VPC Network Peering.
B.The VPC connector is set to a low number of instances, causing traffic throttling.
C.The VPC connector is not attached to the correct subnet, or the firewall rules are blocking traffic from the connector's IP range.
D.The Cloud Run service's service account lacks the roles/compute.instanceAdmin role.
AnswerC

The VPC connector's subnet must have routes to the backend, and firewall rules must allow ingress from the connector's IP range.

Why this answer

Option C is correct because Cloud Run uses a VPC connector to send requests to resources in a VPC. If the connector is attached to the wrong subnet, its egress traffic may not reach the Compute Engine instance, or firewall rules may block traffic from the connector's IP range (e.g., 10.8.0.0/28). This results in 502 errors from the backend, as the Cloud Run service cannot establish a TCP connection to the Compute Engine instance.

Exam trap

The trap here is that candidates confuse VPC Network Peering (used for inter-VPC connectivity) with the VPC connector (used for serverless-to-VPC access), and they overlook the firewall rules that must explicitly allow traffic from the connector's IP range.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering is used to connect two separate VPC networks, not to connect a serverless service to its own VPC; Cloud Run uses a VPC connector, not peering. Option B is wrong because a low number of VPC connector instances causes throttling or increased latency, not 502 errors; 502 errors indicate a failure to reach or get a valid response from the backend, not a capacity issue. Option D is wrong because the roles/compute.instanceAdmin role grants permissions to manage Compute Engine instances, but Cloud Run does not need that role to make HTTP requests to a backend; it only needs network connectivity via the VPC connector.

171
MCQeasy

A company wants to deploy a standard VM image with pre-installed software across multiple projects. Which Google Cloud solution should they use to automate this process?

A.Cloud Build
B.Compute Engine
C.Cloud Deployment Manager
D.Cloud Shell
E.Artifact Registry
AnswerC

Correct. Deployment Manager automates resource deployment via templates.

Why this answer

Cloud Deployment Manager (option C) is the correct choice because it allows you to define a declarative template (in YAML, Jinja, or Python) that specifies the VM instance configuration, including the boot disk image with pre-installed software, and then deploy that template consistently across multiple projects. This automates the entire provisioning process, ensuring each VM is identical and reducing manual effort.

Exam trap

The trap here is that candidates often confuse Cloud Build (a CI/CD tool) with infrastructure deployment, or think Compute Engine itself can automate multi-project deployments, but neither provides the declarative, repeatable provisioning that Deployment Manager offers.

How to eliminate wrong answers

Option A (Cloud Build) is wrong because it is a CI/CD service for building, testing, and deploying software artifacts, not for provisioning infrastructure like VMs across projects. Option B (Compute Engine) is wrong because it is the IaaS service that provides the VM instances themselves, not an automation tool for deploying them. Option D (Cloud Shell) is wrong because it is a browser-based command-line environment for managing Google Cloud resources, not a deployment automation service.

Option E (Artifact Registry) is wrong because it is a service for storing and managing container images and packages, not for deploying VM instances.

172
MCQhard

A company uses Shared VPC. A project admin in a service project tries to create a subnet in the shared VPC network but receives a permission denied error. What is the most likely cause?

A.Only the Shared VPC host project admin can create subnets.
B.The service project admin lacks the compute.subnetworks.create permission on the host project.
C.The Shared VPC is not enabled for the service project.
D.Subnets must be created in the service project, not the host project.
AnswerB

Permission must be granted on the host project for subnet creation.

Why this answer

In a Shared VPC architecture, subnet creation is a privileged operation that can only be performed by a user with the compute.subnetworks.create permission on the host project. The service project admin, by default, does not have this permission in the host project, which is why the permission denied error occurs. Granting this permission to the service project admin at the host project level would resolve the issue.

Exam trap

Google Cloud often tests the misconception that service project admins have full control over the shared network, when in reality they only have usage permissions unless explicitly granted administrative permissions on the host project.

How to eliminate wrong answers

Option A is wrong because it is not strictly 'only the host project admin' who can create subnets; any user with the compute.subnetworks.create permission on the host project can do so, including a service project admin if that permission is explicitly granted. Option C is wrong because the Shared VPC being enabled for the service project is a prerequisite for using the shared network, but the error here is about permissions, not about the feature being disabled. Option D is wrong because subnets in a Shared VPC must be created in the host project, not the service project; the service project consumes subnets from the host project.

173
Matchingmedium

Match each GCP monitoring/logging tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Metrics, dashboards, alerts

Centralized log storage and analysis

Distributed tracing for latency analysis

Inspect code behavior in production

CPU and memory profiling

Why these pairings

These are operations tools in GCP.

174
MCQeasy

A company runs a batch process every night that loads data into BigQuery. They want to ensure that if the job fails, it is retried automatically up to 3 times. Which configuration should they use?

A.Cloud Run jobs with --max-retries=3.
B.Cloud Scheduler with retry policy.
C.BigQuery load job with maximum retries setting.
D.Cloud Functions with error handling.
E.Cloud Composer (Airflow) tasks with retries.
AnswerE

Cloud Composer (Airflow) provides built-in task retry mechanism.

Why this answer

Option E is correct because Cloud Composer (Airflow) natively supports task-level retries via the `retries` parameter in task definitions, allowing you to specify up to 3 automatic retries on failure. This is the appropriate choice for orchestrating a batch process that loads data into BigQuery, as Airflow provides robust retry logic, dependency management, and monitoring for complex workflows.

Exam trap

Google Cloud often tests the distinction between a simple retry mechanism (like Cloud Scheduler or Cloud Functions) and a full workflow orchestration tool (Cloud Composer) that can manage retries within a multi-step batch process, leading candidates to pick a simpler option that lacks the necessary pipeline control.

How to eliminate wrong answers

Option A is wrong because Cloud Run jobs are designed for stateless containerized workloads, not for orchestrating batch data loads into BigQuery; their `--max-retries` applies to the job execution itself, not to the data loading step within a pipeline. Option B is wrong because Cloud Scheduler retry policies handle HTTP request failures, not the success or failure of the underlying BigQuery load job; it would retry the scheduler trigger, not the data load. Option C is wrong because BigQuery load jobs do not have a 'maximum retries setting' — they either succeed or fail, and retries must be managed externally by the caller.

Option D is wrong because Cloud Functions error handling (e.g., retry on failure) is for function execution, not for orchestrating a batch load job; it lacks the workflow-level retry control and dependency management needed for a nightly batch process.

175
MCQhard

A security architect is designing a zero-trust network for applications running on Compute Engine. They want to enforce that all traffic between VMs must be encrypted and authenticated, regardless of the VPC network. Which approach meets this requirement?

A.Configure each VM to use IPsec tunnels to every other VM.
B.Deploy Anthos Service Mesh with mTLS enabled.
C.Use Cloud VPN to encrypt all inter-VM traffic.
D.Enable VPC Flow Logs and use firewall rules to allow only encrypted traffic.
AnswerB

Service mesh with mTLS provides both encryption and authentication between services.

Why this answer

Mutual TLS (mTLS) with service mesh provides encryption and authentication at application level. Option A only encrypts, not authenticates. Option B encrypts but not authenticates.

Option D is not a standard approach.

176
MCQhard

A large enterprise is migrating its on-premises data warehouse to BigQuery. The current warehouse is 100 TB and uses complex ETL jobs that run on SQL Server Integration Services (SSIS). The team wants to minimize migration effort and maintain the same SQL logic for transformations. They plan to use BigQuery's standard SQL. They also need to schedule transformations and load data from multiple on-premises sources. Which approach should they take?

A.Connect SSIS to BigQuery using ODBC and run SSIS packages in a VM on Compute Engine.
B.Rewrite SSIS packages as Dataflow pipelines using Apache Beam.
C.Use Data Fusion to replicate SSIS packages.
D.Use Cloud Composer (Airflow) to orchestrate SQL statements in BigQuery, and use Data Transfer Service for scheduled loads.
AnswerD

This approach allows reusing SQL logic and provides native scheduling with minimal code changes.

Why this answer

Option A is correct: Cloud Composer (Airflow) can orchestrate BigQuery SQL statements, and Data Transfer Service handles scheduled loads from on-premises sources, minimizing code changes. Option B (Data Fusion) does not directly replicate SSIS. Option C (Dataflow) requires rewriting SSIS packages.

Option D (SSIS on Compute Engine) still needs migration and doesn't leverage BigQuery's strengths.

177
MCQmedium

A data analytics company runs nightly batch jobs using Compute Engine instances. The jobs can tolerate interruptions, and the company wants to minimize costs. What should they do?

A.Use preemptible VMs for the batch jobs.
B.Use C2 high-CPU machine types for faster processing.
C.Use standard (on-demand) VMs and commit to a 1-year resource-based commitment.
D.Deploy VMs on Sole-tenant nodes for cost isolation.
AnswerA

Preemptible VMs cost much less than standard VMs and can be interrupted, acceptable for batch jobs that are checkpointed.

Why this answer

Preemptible VMs (now called Spot VMs) are Compute Engine instances that last up to 24 hours and can be terminated at any time by Google Cloud. Because the batch jobs are interruptible, using preemptible VMs reduces compute costs by up to 60-91% compared to standard on-demand VMs, directly meeting the goal of minimizing costs.

Exam trap

The trap here is that candidates may confuse preemptible VMs with standard VMs and assume they are unreliable for any workload, but the question explicitly states the jobs can tolerate interruptions, making preemptible VMs the correct cost-saving choice.

How to eliminate wrong answers

Option B is wrong because C2 high-CPU machine types are optimized for compute-intensive workloads, not for cost minimization; they are more expensive per hour than standard machine types and do not address the interruptible nature of the jobs. Option C is wrong because committing to a 1-year resource-based commitment locks the company into a fixed cost for on-demand VMs, which is more expensive than preemptible VMs and unnecessary for interruptible batch jobs that do not require guaranteed availability. Option D is wrong because Sole-tenant nodes provide hardware isolation for compliance or licensing needs, not cost reduction; they actually increase costs due to premium pricing for dedicated hardware.

178
MCQhard

An organization needs to audit all changes to network firewall rules in a GCP project. Which service should be used to capture these changes?

A.Cloud Logging
B.Cloud Monitoring
C.Cloud Audit Logs
D.VPC Flow Logs
AnswerC

Audit logs capture all admin activity, including firewall rule changes.

Why this answer

Cloud Audit Logs (specifically Admin Activity audit logs) record all API calls that modify the configuration or metadata of resources, including changes to firewall rules. When a firewall rule is created, updated, or deleted, an audit log entry is automatically generated with details such as the user, timestamp, and the change made. This makes Cloud Audit Logs the correct service for auditing changes to network firewall rules in a GCP project.

Exam trap

The trap here is that candidates confuse Cloud Logging (which is a general log storage and analysis platform) with Cloud Audit Logs (which is a specific type of log that records administrative actions), leading them to pick A instead of C.

How to eliminate wrong answers

Option A is wrong because Cloud Logging is a service for ingesting, storing, and analyzing log data from various sources, but it does not natively capture configuration changes to firewall rules; it would require custom log sinks or agents to collect such data. Option B is wrong because Cloud Monitoring focuses on metrics, uptime checks, and alerting based on performance and health indicators, not on recording API-driven configuration changes. Option D is wrong because VPC Flow Logs capture network traffic metadata (e.g., source/destination IPs, ports, protocols) for flow-level analysis, not the administrative changes to firewall rule definitions.

179
MCQeasy

A company runs a batch processing workload on Compute Engine instances in a managed instance group (MIG). The job is CPU-intensive and takes approximately 4 hours to complete. The company wants to reduce costs without sacrificing performance. Which action should they take?

A.Purchase committed use discounts for the instance type.
B.Change the machine series to a smaller machine type.
C.Use preemptible VMs for the MIG and implement a checkpointing mechanism to handle interruptions.
D.Provision additional reserved VMs to ensure capacity.
AnswerC

Preemptible VMs are up to 80% cheaper and, with checkpointing, can handle preemptions gracefully.

Why this answer

Preemptible VMs are significantly cheaper than standard VMs but can be terminated at any time. For a batch processing workload that is CPU-intensive and runs for 4 hours, using preemptible VMs in a MIG with a checkpointing mechanism allows the job to resume from the last saved state after an interruption, thus reducing costs without sacrificing performance.

Exam trap

Google Cloud often tests the misconception that committed use discounts are the best cost-saving option for any workload, but they are only cost-effective for predictable, always-on instances, not for batch jobs that can leverage preemptible VMs.

How to eliminate wrong answers

Option A is wrong because committed use discounts require a 1- or 3-year commitment and do not reduce costs for short-lived or interruptible workloads; they are best for steady-state, always-on instances. Option B is wrong because changing to a smaller machine type would reduce performance, potentially increasing job duration and negating cost savings. Option D is wrong because provisioning additional reserved VMs increases costs without addressing the need to reduce them, and reserved VMs are not cost-effective for batch jobs that can tolerate interruptions.

180
MCQeasy

A developer needs to secure secrets (API keys, passwords) used in a Cloud Function. What is the recommended approach?

A.Store secrets in environment variables
B.Store in Cloud Storage and download at runtime
C.Use Secret Manager
D.Hard-code in the function code
AnswerC

Secret Manager provides secure storage and access control.

Why this answer

Secret Manager is the recommended approach for securing sensitive data like API keys and passwords in Cloud Functions because it provides encrypted storage, fine-grained access control via IAM, and automatic rotation. Unlike environment variables, which are visible in the Cloud Console and logs, Secret Manager ensures secrets are never exposed in plaintext and are injected securely at runtime.

Exam trap

Google Cloud often tests the misconception that environment variables are a secure way to store secrets because they are 'hidden' from code, but in reality they are plaintext and accessible via the Cloud Console and logs.

How to eliminate wrong answers

Option A is wrong because environment variables are not encrypted by default and can be viewed in the Cloud Console, logs, or by anyone with access to the function's configuration, making them insecure for secrets. Option B is wrong because storing secrets in Cloud Storage requires managing bucket permissions and encryption keys manually, and downloading at runtime introduces latency and potential exposure if the bucket is misconfigured. Option D is wrong because hard-coding secrets in function code exposes them in source control, build artifacts, and logs, violating security best practices and making rotation nearly impossible.

181
MCQeasy

You are the lead cloud architect for a startup that runs a web application on Google Kubernetes Engine (GKE) with a standard (zonal) cluster. The application is deployed with 3 replicas of a stateless frontend service. During a recent incident, a zone outage caused all GKE nodes to become unavailable, leading to application downtime of 45 minutes. You need to redesign the cluster to tolerate a single zone failure with no more than 5 minutes of downtime. Your budget allows for at most a 20% increase in compute costs. Which approach should you take?

A.Increase the number of replicas from 3 to 9 and keep the zonal cluster
B.Change the frontend deployment to use regional persistent disks
C.Deploy second GKE cluster in another region and use global load balancer for failover
D.Migrate the cluster to a regional GKE cluster with nodes in 3 zones and distribute replicas across zones
AnswerD

Correct: regional cluster survives zone failure.

Why this answer

D is correct because a regional GKE cluster distributes nodes across three zones, ensuring that if one zone fails, the remaining two zones continue serving traffic. By spreading the 3 replicas across zones (e.g., one per zone), the application tolerates a single zone outage with near-zero downtime, and the 20% cost increase covers the additional node pool overhead without exceeding the budget.

Exam trap

The trap here is that candidates confuse increasing replica count with achieving zone redundancy, failing to realize that replicas must be distributed across failure domains (zones) to survive a zone outage, and that regional persistent disks are irrelevant for stateless workloads.

How to eliminate wrong answers

Option A is wrong because increasing replicas to 9 in a zonal cluster does not provide zone redundancy; all nodes remain in a single zone, so a zone outage still takes down all replicas. Option B is wrong because regional persistent disks are used for stateful workloads (e.g., databases) and do not help with zone-level node failure for a stateless frontend; the frontend does not require persistent disks. Option C is wrong because deploying a second cluster in another region introduces cross-region latency and failover complexity, and the 5-minute downtime target cannot be met with DNS propagation or global load balancer failover; it also likely exceeds the 20% cost increase due to full cluster duplication.

182
MCQeasy

A financial services company is migrating a sensitive customer data application to Google Cloud. The application runs on Compute Engine VMs in a VPC. The security team requires that all data at rest in Cloud Storage and BigQuery must be encrypted with customer-managed encryption keys (CMEK). Additionally, the keys must be stored in a different project than the data, and access to the keys must be audited. The operations team has set up a CMEK key in Cloud KMS in a separate project, assigned the Cloud KMS CryptoKey Encrypter/Decrypter role to the data project's Compute Engine service account, and enabled Cloud Storage and BigQuery to use CMEK. However, when the application tries to read from Cloud Storage, it fails with 'Access Denied.' The Cloud KMS key is in project 'kms-proj' and the data is in project 'data-proj'. What is the most likely cause?

A.The Compute Engine service account used by the VM does not have the Cloud KMS Decrypter role.
B.The VPC firewall rules are blocking egress to Cloud KMS.
C.The Cloud KMS key has been disabled due to an Organization Policy.
D.The Cloud Storage service agent in 'data-proj' does not have the Cloud KMS CryptoKey Encrypter/Decrypter role.
AnswerD

Cloud Storage requires its service agent to have KMS permissions to encrypt/decrypt using CMEK. The team only granted permission to the Compute Engine service account.

183
MCQeasy

A company runs a web application on Compute Engine instances. The application stores session state in files on local SSD. The company wants to reduce costs without sacrificing performance for a predictable traffic pattern. What should they do?

A.Use preemptible VMs in a managed instance group with autoscaling, and store session state in Redis (Memorystore).
B.Change the machine type to N2 standard and use committed use discounts.
C.Keep local SSDs but use sole-tenant nodes to reduce contention.
D.Migrate the session state to Cloud Firestore and use preemptible VMs.
AnswerA

Using preemptible VMs reduces cost, and storing session state in Memorystore ensures data persistence across preemptions.

Why this answer

Option A is correct because preemptible VMs reduce compute costs by up to 80%, and using a managed instance group with autoscaling handles the predictable traffic pattern efficiently. Storing session state in Redis (Memorystore) instead of local SSD ensures session data persists across VM preemptions and is shared among instances, which is critical for stateful applications. This combination maintains performance while eliminating the cost of always-on VMs.

Exam trap

Google Cloud often tests the misconception that local SSD is acceptable for session state if VMs are persistent, but the trap here is that any VM termination (preemption, maintenance, or autoscaling down) destroys local SSD data, so a shared external session store like Redis is mandatory when using preemptible or autoscaled instances.

How to eliminate wrong answers

Option B is wrong because changing to N2 standard machines and using committed use discounts reduces costs only if the workload runs continuously for 1 or 3 years, but it does not address the session state persistence issue—local SSD data is lost on VM termination, and the traffic pattern is predictable, not constant. Option C is wrong because sole-tenant nodes increase costs (dedicated hardware) and do not solve the session state problem; local SSD data is still ephemeral and lost on instance stop/termination. Option D is wrong because Cloud Firestore is a NoSQL document database not optimized for low-latency session state access (it is designed for mobile/web apps with eventual consistency), and preemptible VMs without a shared session store like Redis will lose session data on preemption.

184
Multi-Selecteasy

Which TWO methods can be used to provide secure access to a private Google Kubernetes Engine (GKE) cluster from the internet? (Choose two.)

Select 2 answers
A.Expose the cluster via an internal load balancer.
B.Configure a Cloud NAT to allow inbound connections from the internet.
C.Use Cloud VPN to connect from an on-premises network that has internet access.
D.Assign a public IP address to the cluster master endpoint.
E.Use Identity-Aware Proxy (IAP) with TCP forwarding to access the cluster master.
AnswersC, E

On-prem can route via VPN to private cluster.

Why this answer

Option C is correct because Cloud VPN establishes an encrypted tunnel (using IPsec) from an on-premises network to a VPC in Google Cloud, allowing secure access to a private GKE cluster master endpoint without exposing it to the public internet. Option E is correct because Identity-Aware Proxy (IAP) with TCP forwarding enables authenticated and authorized access to the private cluster master endpoint via a bastion-like tunnel, without requiring a public IP on the master or a VPN.

Exam trap

The trap here is that candidates often confuse Cloud NAT (outbound-only) with a solution for inbound internet access, or mistakenly think an internal load balancer can provide internet-facing access to a private cluster.

185
MCQmedium

What does the condition in this IAM policy do?

A.It denies Alice access to all buckets.
B.It allows Alice to view objects only in bucket-x.
C.It allows Alice to view objects in any bucket.
D.It allows Alice to list all buckets in the project.
E.It allows Alice to view and delete objects in bucket-x.
AnswerB

Correct. The condition limits the grant to resources under bucket-x.

Why this answer

The condition in the IAM policy restricts the `s3:GetObject` action to the `arn:aws:s3:::bucket-x/*` resource, which means Alice can only view (read) objects within that specific bucket. The `s3:ListBucket` action is also allowed on `bucket-x`, enabling her to list its contents. No other actions or buckets are permitted, making option B correct.

Exam trap

Google Cloud often tests the distinction between bucket-level actions (like `s3:ListBucket`) and object-level actions (like `s3:GetObject`), and the trap here is that candidates assume 'view objects' includes listing all buckets or deleting objects, when the policy only grants specific read permissions on a single bucket.

How to eliminate wrong answers

Option A is wrong because the policy explicitly allows access to bucket-x, not denies all buckets. Option C is wrong because the resource ARN is limited to bucket-x, not any bucket. Option D is wrong because the `s3:ListAllMyBuckets` action is not included in the policy, so Alice cannot list all buckets in the project.

Option E is wrong because the policy only grants `s3:GetObject` (view) and `s3:ListBucket` (list), not `s3:DeleteObject` (delete).

186
MCQhard

A financial services company must comply with PCI DSS. They use Cloud SQL for MySQL for transaction processing. They need to ensure that all data at rest is encrypted with keys generated and stored in a Hardware Security Module (HSM) and that key rotation occurs every 90 days. Which configuration should they use?

A.Use Cloud External Key Manager (EKM) to integrate with on-premises HSM
B.Use Cloud SQL with customer-supplied encryption keys (CSEK) and automate rotation with Cloud Scheduler
C.Use Cloud SQL with CMEK backed by Cloud HSM, and set automatic rotation period of 90 days
D.Use Cloud SQL's default encryption with organization policy requiring rotation
AnswerC

CMEK with Cloud HSM provides customer-controlled, HSM-backed keys with automatic rotation.

Why this answer

Cloud SQL CMEK with Cloud HSM allows HSM-backed keys and automatic rotation. Default encryption uses Google-managed keys; CSEK is for disks; EKM is for external KMS but adds complexity.

187
MCQhard

A financial institution stores sensitive customer data in Cloud Storage. They need to audit all data access and prevent unauthorized data exfiltration. They also require context-aware access controls based on user location and device. Which Google Cloud service should they configure?

A.Cloud Data Loss Prevention (DLP) for inspecting data
B.Cloud Audit Logs and Cloud Monitoring for alerts
C.VPC Service Controls with the perimeter set to the data layer
D.Access Transparency logs for audit
AnswerC

VPC Service Controls prevent data from leaving the perimeter and support context-aware access.

Why this answer

VPC Service Controls (option C) is correct because it creates a security perimeter around Google Cloud APIs, including Cloud Storage, to prevent unauthorized data exfiltration (e.g., copying data to an external project) while allowing context-aware access controls based on user location and device via Access Context Manager. This directly addresses the requirement for both audit (via Cloud Audit Logs integrated with the perimeter) and exfiltration prevention, which other services like DLP or Access Transparency alone cannot enforce.

Exam trap

Google Cloud often tests the distinction between detective controls (audit logs, DLP) and preventive controls (VPC Service Controls), leading candidates to choose audit-focused options like B or D when the question explicitly requires preventing data exfiltration.

How to eliminate wrong answers

Option A is wrong because Cloud Data Loss Prevention (DLP) is an inspection and classification service for sensitive data, not an access control or exfiltration prevention mechanism; it cannot block data access or enforce context-aware policies. Option B is wrong because Cloud Audit Logs and Cloud Monitoring provide logging and alerting for visibility but do not prevent unauthorized data exfiltration or enforce context-aware access controls; they are reactive, not proactive. Option D is wrong because Access Transparency logs provide audit records of Google staff access to customer data, not customer-side access controls or exfiltration prevention; they do not block data movement or enforce location/device-based policies.

188
Multi-Selecthard

A company runs a web application on App Engine Standard environment. The application experiences downtime during deployments due to traffic shifting. Which two strategies should they implement to improve reliability? (Choose two.)

Select 2 answers
A.Use Cloud Endpoints to manage API traffic and route deployments.
B.Increase the number of idle instances to handle traffic during deployment.
C.Use traffic splitting to gradually migrate traffic to the new version.
D.Deploy to a separate version and then shift traffic using the App Engine console or gcloud.
E.Set manual scaling to avoid autoscaling delays.
AnswersC, D

Gradual migration reduces impact of any issues.

Why this answer

Option C is correct because App Engine's traffic splitting feature allows you to gradually shift traffic from the old version to the new version, minimizing the impact of deployment-related errors or performance issues. This incremental migration reduces the risk of a full outage during deployment and enables quick rollback if problems arise.

Exam trap

Google Cloud often tests the distinction between deployment strategies (traffic splitting/version shifting) and scaling or API management features, leading candidates to confuse operational scaling fixes with deployment reliability improvements.

189
Multi-Selecteasy

Which TWO features help reduce costs for batch processing workloads on Compute Engine?

Select 2 answers
A.Preemptible VMs
B.Sustained use discounts
C.GPU accelerators
D.Sole-tenant nodes
E.Committed use discounts
AnswersA, B

Preemptible VMs are up to 80% cheaper and suitable for batch jobs.

Why this answer

Preemptible VMs are short-lived, low-cost instances that can be terminated at any time by Compute Engine, making them ideal for batch processing workloads that are fault-tolerant and can handle interruptions. They offer up to 80% cost savings compared to standard VMs, directly reducing costs for batch jobs that can checkpoint and resume.

Exam trap

The trap here is that candidates often confuse committed use discounts with sustained use discounts, but committed use discounts require a contractual commitment and are not suitable for batch workloads that may not run continuously, while sustained use discounts are automatic and better suited for long-running batch jobs.

190
MCQeasy

A startup is migrating a monolithic application to Google Cloud. They want to minimize operational overhead and auto-scale based on HTTP request load. Which compute solution should they choose?

A.Compute Engine managed instance groups with autoscaling
B.Google Kubernetes Engine (GKE)
C.Cloud Functions
D.Cloud Run
AnswerD

Fully managed, auto-scales based on HTTP requests, minimal overhead.

Why this answer

Cloud Run is the best choice because it is a fully managed serverless platform that automatically scales from zero based on HTTP request load, minimizing operational overhead. It abstracts away infrastructure management, supports containerized applications, and charges only for resources used during request processing, aligning perfectly with the requirement to auto-scale based on HTTP traffic.

Exam trap

The trap here is that candidates often choose GKE or Compute Engine for 'auto-scaling' without recognizing that serverless options like Cloud Run offer the same capability with significantly less operational overhead for HTTP-based workloads.

How to eliminate wrong answers

Option A is wrong because Compute Engine managed instance groups with autoscaling require managing virtual machines, patching OS, and configuring scaling policies, which increases operational overhead compared to serverless options. Option B is wrong because Google Kubernetes Engine (GKE) introduces cluster management, node patching, and container orchestration complexity, which is not minimal operational overhead for a simple HTTP workload. Option C is wrong because Cloud Functions is designed for event-driven, short-lived functions, not for running a monolithic application that typically requires a persistent runtime environment and longer request handling.

191
MCQeasy

A company has two VPC networks in the same project: vpc-a (us-central1) and vpc-b (us-east1). They want to allow communication between instances in these VPCs using internal IPs. Which action should they take?

A.Move both VPCs to the same region.
B.Set up VPC Network Peering between vpc-a and vpc-b.
C.Create a VPN tunnel between the VPCs.
D.Ensure firewall rules allow ingress from the other VPC's subnet ranges.
AnswerB

VPC peering enables internal IP communication across VPCs without any gateway.

Why this answer

VPC Network Peering allows direct internal IP communication between two VPC networks, regardless of region, as long as they are in the same project or across projects. This is the simplest and most efficient method for enabling private RFC 1918 connectivity without requiring VPN tunnels or moving resources. Peering uses Google's internal infrastructure, so traffic stays within the Google network and does not traverse the public internet.

Exam trap

Google Cloud often tests the misconception that VPCs must be in the same region to use internal IPs, or that a VPN tunnel is required for cross-region connectivity, when in fact VPC Network Peering works across regions within the same project or across projects.

How to eliminate wrong answers

Option A is wrong because VPCs can be in different regions and still communicate via internal IPs using VPC Network Peering; moving both to the same region is unnecessary and would disrupt existing resources. Option C is wrong because a VPN tunnel is an over-engineered solution for VPCs within the same project—VPC Network Peering is simpler, has lower latency, and does not require a Cloud VPN gateway or tunnel configuration. Option D is wrong because while firewall rules are necessary to allow traffic, they are not sufficient on their own; the VPCs must first be connected via VPC Network Peering (or another connectivity method) for the firewall rules to have any effect.

192
Matchingmedium

Match each GCP compute service to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual machines with full control

Managed Kubernetes clusters

Serverless containers

Platform as a Service (PaaS)

Event-driven serverless functions

Why these pairings

These are the main compute options in GCP.

193
Matchingmedium

Match each GCP migration term to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Move workloads without modification

Tool to migrate VMs to GCP

Physical device for large data transfer

Online data transfer from other clouds or on-prem

Migrate databases to Cloud SQL with minimal downtime

Why these pairings

These are migration-related services and concepts in GCP.

194
MCQmedium

A company is deploying a new application on Compute Engine. They need to ensure that the application can automatically recover from a zone failure. What is the best approach?

A.Create a managed instance group with instances in multiple zones.
B.Use a global load balancer in front of a single instance.
C.Create a single VM in a single zone and rely on live migration.
D.Use Cloud Storage to store application state and restore from a snapshot.
AnswerA

MIG auto-heals and distributes across zones.

Why this answer

A managed instance group (MIG) with instances in multiple zones provides automatic recovery from a zone failure by distributing instances across zones and using auto-healing to recreate failed instances. If one zone becomes unavailable, the load balancer routes traffic to healthy instances in other zones, ensuring high availability without manual intervention.

Exam trap

Google Cloud often tests the distinction between live migration (which handles host maintenance but not zone failures) and multi-zone MIGs (which handle zone failures), leading candidates to mistakenly choose live migration as a recovery mechanism.

How to eliminate wrong answers

Option B is wrong because a global load balancer in front of a single instance does not provide zone-level redundancy; if the zone fails, the single instance becomes unavailable, and the load balancer has no healthy backend to route traffic to. Option C is wrong because live migration only protects against host maintenance events, not zone failures; if the entire zone fails, the VM is lost and cannot be recovered automatically. Option D is wrong because storing application state in Cloud Storage and restoring from a snapshot is a disaster recovery approach, not an automatic recovery mechanism; it requires manual steps to recreate the VM and does not provide seamless failover.

195
Multi-Selectmedium

Which TWO statements are true about Google Cloud HTTPS Load Balancers?

Select 2 answers
A.They support only external backends, such as internet-facing instances.
B.They support only IPv4 traffic.
C.They can forward traffic to backends in multiple regions, including instances in different VPC networks.
D.They can be used to load balance internal HTTP(S) traffic within a VPC.
E.They are global resources and use a single anycast IP address.
AnswersC, E

Global HTTPS Load Balancers support multi-region backends, including across VPCs via Network Endpoint Groups.

Why this answer

Option C is correct because Google Cloud HTTPS Load Balancers are global external load balancers that can distribute traffic to backends across multiple regions, and they support cross-VPC connectivity via Shared VPC or VPC Network Peering, allowing instances in different VPC networks to serve as backends.

Exam trap

The trap here is that candidates often confuse the global HTTPS Load Balancer (for external traffic) with the Internal HTTP(S) Load Balancer (for internal traffic), leading them to incorrectly select option D as true.

196
MCQhard

A company runs a real-time data analytics platform on Google Cloud that ingests streaming data from IoT devices. The architecture uses Cloud Pub/Sub to receive messages, Dataflow for processing, and BigQuery for storage. Recently, the team noticed that the processing latency has increased significantly during peak hours. Upon investigation, they found that the Dataflow pipeline is experiencing high system lag and some workers are being killed due to out-of-memory errors. The pipeline uses a fixed window of 10 seconds and writes to BigQuery using streaming inserts. The company wants to reduce latency without sacrificing data accuracy. Which course of action should they take?

A.Change the windowing to a global window and use batch inserts to BigQuery
B.Increase the number of Dataflow workers and machine type to handle the load
C.Implement a dead-letter queue for unprocessed messages and use a slower processing rate
D.Enable Dataflow streaming engine and use exactly-once processing mode
AnswerD

Streaming engine reduces memory usage; exactly-once ensures accuracy.

Why this answer

Option D is correct. Dataflow Streaming Engine offloads the shuffle operation to a backend service, reducing memory pressure and allowing workers to handle more data. Increasing workers (A) may help but root cause is memory.

Changing windowing (B) sacrifices timeliness. Dead-letter queue (C) does not address latency.

197
Multi-Selecthard

Which THREE are best practices for designing a highly available application on Compute Engine?

Select 3 answers
A.Use local SSDs for stateful data
B.Use a single large machine type
C.Use managed instance groups with autoscaling
D.Use an external load balancer with health checks
E.Distribute instances across multiple zones
AnswersC, D, E

Managed instance groups automatically handle scaling and healing.

Why this answer

Managed instance groups (MIGs) with autoscaling are a best practice for high availability because they automatically maintain a target number of healthy instances across zones, replacing failed instances and scaling based on load. This ensures the application can withstand instance failures and traffic spikes without manual intervention, directly supporting high availability.

Exam trap

Google Cloud often tests the misconception that local SSDs are suitable for stateful data in HA designs, but the trap is that local SSDs are ephemeral and data is lost on instance failure, so they should only be used for cache or temporary data, not for persistent state.

198
MCQeasy

A media streaming company is deploying a new video transcoding pipeline on Google Cloud. The pipeline receives raw video files uploaded to Cloud Storage, triggers a Cloud Function that submits transcoding jobs to a Compute Engine worker pool, and stores the transcoded output in another Cloud Storage bucket. The workers are managed by a managed instance group (MIG) running a custom container image. Currently, when there is a spike in uploads, the MIG takes 5-7 minutes to scale up new workers, causing processing delays. The architect needs to reduce the time to add new workers to under 2 minutes. The workers are stateless and the container image is about 2 GB. What should the architect do?

A.Use Cloud Run instead of Compute Engine to run the transcoding workers
B.Increase the minimum number of instances in the MIG to 10
C.Replace the Compute Engine workers with Cloud Functions to handle the transcoding
D.Create a custom Compute Engine image that includes the container runtime and pre-pulled container
AnswerD

A custom image with the container already pulled reduces boot time as the image does not need to be downloaded.

Why this answer

Option D is correct because creating a custom Compute Engine image that includes the container runtime and pre-pulls the 2 GB container image eliminates the need to download the image during scale-up. This reduces the instance startup time from 5-7 minutes to under 2 minutes, as the container is already cached locally on the image, bypassing the network pull delay.

Exam trap

The trap here is that candidates may assume increasing the minimum instance count (Option B) solves the scaling delay, but it only pre-provisions a fixed number of instances and does not address the startup latency for additional instances beyond that baseline.

How to eliminate wrong answers

Option A is wrong because Cloud Run has a maximum request timeout of 60 minutes and is designed for stateless HTTP-triggered workloads, not for long-running, resource-intensive video transcoding jobs that require GPU or high CPU. Option B is wrong because increasing the minimum number of instances to 10 does not reduce the time to add new workers; it only ensures a baseline of running instances, but scaling up beyond that still incurs the same 5-7 minute delay due to container image pull. Option C is wrong because Cloud Functions have a maximum execution timeout of 9 minutes and limited memory/CPU, making them unsuitable for transcoding large video files, which often require sustained compute and storage access.

199
Multi-Selectmedium

Which TWO security best practices should be applied when configuring Cloud Functions that process sensitive data? (Choose two.)

Select 2 answers
A.Enable VPC connector and set ingress to internal to avoid public internet exposure.
B.Disable all inbound network traffic to the function.
C.Enable Cloud KMS customer-managed encryption for the function's environment variables.
D.Use the default Compute Engine default service account for simplicity.
E.Store secrets in Secret Manager and reference them from the function without hardcoding.
AnswersA, E

VPC connector allows the function to send traffic only via internal IPs, reducing exposure.

Why this answer

Options B and D are correct. Using internal traffic only (via VPC connector) ensures data does not traverse the public internet. Encrypting environment variables with CMEK protects sensitive configuration.

Option A is wrong because the default service account often has excessive permissions; use a least-privilege identity. Option C is wrong because disabling ingress is not possible; you control egress. Option E is wrong because Cloud Functions support CMEK for environment variables, but not automatically; you must use Secret Manager.

200
Drag & Dropmedium

Drag and drop the steps to recover a Cloud SQL instance from a backup into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Restoring to an existing instance may overwrite data; best practice is to restore to a new instance.

201
MCQmedium

A company is deploying a multi-tier web application on Google Cloud. The application must comply with PCI DSS. Which combination of Google Cloud services should be used to restrict access to the database tier to only the application tier, while also encrypting data at rest and in transit?

A.Use Cloud Spanner with private IP and SSL/TLS, and enable Google-managed encryption keys
B.Use Cloud SQL with public IP and SSL/TLS, and enable Google-managed encryption keys
C.Use Cloud Datastore with secure WebSocket connections and enable customer-managed encryption keys
D.Use Cloud SQL with private IP and SSL/TLS, and enable Cloud Key Management Service (KMS) to create a key ring and customer-managed encryption key (CMEK)
AnswerD

Private IP isolates the database, SSL/TLS encrypts in transit, CMEK encrypts at rest with customer-managed keys.

Why this answer

Option D is correct because it meets all PCI DSS requirements: Cloud SQL with private IP ensures the database tier is not exposed to the public internet, restricting access to only the application tier within the same VPC. SSL/TLS encrypts data in transit, and using Cloud KMS with a customer-managed encryption key (CMEK) provides control over encryption keys for data at rest, which is often required for compliance.

Exam trap

The trap here is that candidates often assume Google-managed encryption keys are sufficient for PCI DSS, but the standard often requires customer-managed keys (CMEK) to demonstrate control over key lifecycle, and they overlook that public IP (even with SSL) fails the network access restriction requirement.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner with private IP and SSL/TLS does encrypt data in transit and restricts network access, but it uses Google-managed encryption keys by default, which may not satisfy PCI DSS requirements for customer control over encryption keys. Option B is wrong because Cloud SQL with public IP exposes the database to the internet, violating the requirement to restrict access to only the application tier, even with SSL/TLS. Option C is wrong because Cloud Datastore is a NoSQL document database that does not support secure WebSocket connections for encryption in transit (it uses gRPC/HTTP with TLS), and customer-managed encryption keys are not available for Cloud Datastore; it uses Google-managed keys only.

202
MCQhard

You are designing a Dataflow streaming pipeline for real-time event processing. The pipeline must be cost-effective while tolerating worker failures without data loss. Which configuration should you use?

A.Use a batch Dataflow job with preemptible workers.
B.Use high-memory machine types for all workers to avoid preemption.
C.Use FlexRS with preemptible workers and enable streaming engine.
D.Use a standard Dataflow job with non-preemptible workers.
AnswerC

FlexRS allows preemptible workers with cost savings; Dataflow's checkpointing prevents data loss on preemption.

Why this answer

Option C is correct because FlexRS (Flexible Resource Scheduling) allows you to use preemptible workers in a streaming pipeline, which significantly reduces cost while the Streaming Engine provides durable state storage and checkpointing to tolerate worker failures without data loss. Preemptible workers are cheaper but can be terminated at any time; the Streaming Engine ensures that pipeline state is preserved and processing can resume seamlessly from the last checkpoint.

Exam trap

Google Cloud often tests the misconception that preemptible workers cannot be used in streaming pipelines, or that high-memory instances alone solve reliability, but the key is that FlexRS with Streaming Engine is the only option that combines cost savings with failure tolerance for real-time processing.

How to eliminate wrong answers

Option A is wrong because batch Dataflow jobs do not support streaming mode, and preemptible workers in a batch job can cause data loss if not combined with appropriate checkpointing mechanisms, which are not designed for real-time event processing. Option B is wrong because using high-memory machine types does not prevent preemption; preemptible workers are still subject to termination, and this approach increases cost without addressing failure tolerance. Option D is wrong because non-preemptible workers are more expensive and do not inherently provide the cost-effectiveness required, while standard Dataflow jobs without Streaming Engine may lose data on worker failure in streaming mode due to lack of durable state persistence.

203
MCQhard

Company B uses Cloud Endpoints to expose their API. Recently, they started seeing 503 errors during periods of high traffic. They have enabled Cloud Endpoints with a moderate quota. The backend is running on Cloud Run. The Cloud Run service is configured with min instances = 0 and max instances = 100. The container concurrency is set to 80. The average request latency is 200ms. What is the most likely cause and what should they do?

A.The container concurrency is too low; increase it to 200.
B.The backend is experiencing cold starts; set a higher CPU limit.
C.Cloud Run is scaling too slowly; set min instances to a higher value.
D.The Cloud Endpoints quota is being exhausted; increase the quota.
AnswerC

Cold starts cause latency spikes leading to 503s; warm instances mitigate this.

Why this answer

The 503 errors during high traffic are most likely caused by Cloud Run's scaling latency. With min instances = 0, new requests must wait for a container to start (cold start), and during traffic spikes, the scaling algorithm may not provision instances quickly enough, leading to request timeouts and 503s. Setting a higher min instances value ensures a warm pool of containers is always ready to handle traffic bursts, reducing cold start delays.

Exam trap

The trap here is that candidates confuse 503 errors with quota exhaustion (option D) or misattribute the issue to concurrency limits (option A), when in fact the 503 is a classic symptom of Cloud Run's cold start and scaling delay with min instances = 0.

How to eliminate wrong answers

Option A is wrong because container concurrency (80) is already high; increasing it to 200 would not address the root cause of scaling delays and could overload containers, increasing latency. Option B is wrong because cold starts are caused by idle instances being shut down (min instances = 0), not by CPU limits; increasing CPU limits would not prevent cold starts. Option D is wrong because Cloud Endpoints quota is described as 'moderate' and the errors occur during high traffic on the backend, not at the API gateway; quota exhaustion would typically return 429 or 403 errors, not 503.

204
Multi-Selecthard

A company is migrating a legacy on-premises application to Google Cloud. The application has strict low-latency requirements between its components and requires stateful TCP sessions. Which TWO design decisions should the architect recommend?

Select 2 answers
A.Use regional managed instance groups with internal load balancing.
B.Use Cloud NAT for outbound connectivity.
C.Use global load balancing with Cloud CDN.
D.Use Cloud VPN for on-premises connectivity.
E.Place all components in the same VPC network.
AnswersA, E

Supports session affinity and preserves source IP for stateful protocols.

Why this answer

Options B and D are correct. Placing all components in the same VPC network minimizes latency by leveraging Google's internal network, and avoids SNAT issues that could break stateful sessions. Using regional managed instance groups with internal load balancing preserves source IP and supports session affinity, which is essential for stateful TCP.

Option A is incorrect because global load balancing and Cloud CDN are optimized for web content, not stateful low-latency inter-component traffic. Option C is incorrect because Cloud NAT is used for outbound internet access and would break stateful sessions. Option E is incorrect because Cloud VPN connects on-premises to GCP, but does not directly address low-latency between cloud components.

205
MCQmedium

A company is migrating its on-premises workloads to Google Cloud. They have strict compliance requirements that all data at rest must be encrypted with customer-managed encryption keys (CMEK). Which Google Cloud service should they use to manage the lifecycle of these keys?

A.Secret Manager
B.Cloud External Key Manager (Cloud EKM)
C.Cloud Key Management Service (Cloud KMS)
D.Cloud Hardware Security Module (Cloud HSM)
AnswerC

Cloud KMS is the correct service for managing CMEK.

Why this answer

Cloud KMS is the correct service because it provides centralized management of customer-managed encryption keys (CMEK) for Google Cloud services. It allows you to create, rotate, destroy, and set permissions on symmetric and asymmetric keys, and integrates directly with services like Cloud Storage, BigQuery, and Compute Engine to enforce encryption at rest with keys you control.

Exam trap

The trap here is that candidates often confuse Cloud HSM as a key management service, but Cloud HSM is a key storage backend for Cloud KMS, not a replacement for lifecycle management; you must use Cloud KMS to control key creation, rotation, and destruction even when using HSM-backed keys.

How to eliminate wrong answers

Option A is wrong because Secret Manager is designed to store and manage secrets such as API keys, passwords, and certificates, not to manage encryption keys for data-at-rest encryption under CMEK. Option B is wrong because Cloud External Key Manager (Cloud EKM) allows you to manage keys using an external key management system outside Google Cloud, but it does not provide native lifecycle management within Google Cloud; it relies on an external partner for key operations. Option D is wrong because Cloud HSM is a hardware security module service that provides FIPS 140-2 Level 3 validated key storage and cryptographic operations, but it is an additional protection layer for keys stored in Cloud KMS, not a standalone key lifecycle management service; you still use Cloud KMS to manage the key lifecycle.

206
MCQeasy

A startup uses Cloud Functions for event-driven processing. They notice some functions are timing out. How to increase reliability without changing the business logic?

A.Increase the function timeout to the maximum allowed
B.Use Cloud Tasks to decouple and retry synchronously
C.Enable retry on failure for the event-driven function
D.Refactor the function to reduce complexity
AnswerC

Cloud Functions supports automatic retry for event-driven triggers, which handles transient timeouts.

Why this answer

Option C is correct because enabling retry on failure for event-driven Cloud Functions allows the platform to automatically retry the invocation when a function times out or fails, without modifying the business logic. This leverages the built-in retry mechanism for background functions, which uses exponential backoff to handle transient failures and improve reliability.

Exam trap

Google Cloud often tests the misconception that increasing timeout or refactoring code is the only way to handle timeouts, but the trap here is that enabling retry on failure is a configuration-only change that improves reliability without altering business logic.

How to eliminate wrong answers

Option A is wrong because simply increasing the timeout to the maximum allowed (e.g., 540 seconds for HTTP functions) does not address the root cause of timeouts; it only postpones the failure and can lead to resource exhaustion. Option B is wrong because Cloud Tasks decouples and retries asynchronously, not synchronously; using it would require changing the architecture and business logic, which contradicts the requirement to not change business logic. Option D is wrong because refactoring the function to reduce complexity changes the business logic, which is explicitly disallowed by the question.

207
MCQhard

Refer to the exhibit. A Cloud Function processes files uploaded to Cloud Storage. It usually completes within 2 minutes, but recently it has been timing out after 540 seconds. What is the most likely cause?

A.The function's maximum timeout was set to 540 seconds, causing it to always take that long
B.A user uploaded a file larger than the maximum allowed size for the function (e.g., 6 GB), causing the processing time to exceed the 540s timeout
C.The function's memory limit is too low, causing thrashing and slowdown
D.The function entered an infinite loop
AnswerB

Large files take longer to process, causing the function to hit the timeout.

Why this answer

Option B is correct because Cloud Functions have a maximum execution timeout of 540 seconds (9 minutes). If a file larger than the function's memory and processing capacity is uploaded, the function may take longer than this hard limit to process it, resulting in a timeout. The exhibit indicates the function usually completes within 2 minutes, so a sudden spike to exactly 540 seconds strongly suggests the file size exceeded the function's ability to finish within the maximum allowed timeout.

Exam trap

Google Cloud often tests the misconception that a timeout is caused by a configuration error or infinite loop, rather than the function hitting the hard 540-second limit due to an oversized workload.

How to eliminate wrong answers

Option A is wrong because setting the function's maximum timeout to 540 seconds does not cause it to always take that long; the timeout is an upper bound, not a fixed execution time. Option C is wrong because low memory causing thrashing would typically result in out-of-memory errors or gradual slowdowns, not a consistent timeout exactly at 540 seconds. Option D is wrong because an infinite loop would cause the function to never complete, but Cloud Functions would still terminate at the 540-second timeout, not consistently hit that exact limit only when processing large files.

208
MCQmedium

A company stores backup data in Cloud Storage. They observe high egress costs when clients download backups. Additionally, they must retain backups for 7 years for compliance. Which optimization should they implement first?

A.Use lifecycle rules to transition to Archive after 30 days and delete after 7 years
B.Enable requester pays on the bucket
C.Set up a Cloud CDN for backup downloads
D.Move the backup data to Archive storage class
AnswerB

Requester pays shifts the egress cost to the client, solving the high egress issue.

Why this answer

High egress costs occur when clients download backups, and enabling requester pays shifts these costs to the clients. This directly addresses the cost issue without changing storage class or retention. Requester pays is the first optimization because it resolves the immediate cost problem while lifecycle rules or storage class changes address separate concerns like retention or storage cost.

Exam trap

Google Cloud often tests the misconception that changing storage class (e.g., to Archive) reduces egress costs, when in fact egress costs are independent of storage class and requester pays is the direct solution for shifting download costs.

How to eliminate wrong answers

Option A is wrong because lifecycle rules manage storage cost and retention, not egress costs; transitioning to Archive after 30 days reduces storage cost but does not shift or reduce the egress charges incurred during downloads. Option C is wrong because Cloud CDN caches content to reduce latency and origin load, but it does not eliminate egress costs from Cloud Storage; egress from Cloud CDN still incurs charges, and backups are typically not cacheable due to infrequent access. Option D is wrong because moving to Archive storage class reduces storage cost but does not affect egress costs; Archive has higher retrieval fees and minimum retention periods that could conflict with the 7-year compliance requirement.

209
MCQmedium

A company is migrating a monolithic application to Google Kubernetes Engine (GKE). The application currently runs on a single Compute Engine instance and stores session state in local memory. The migration must support horizontal scaling and high availability. What should the company do to manage session state in the new architecture?

A.Refactor the application to store session state in Cloud Memorystore for Redis and make the application stateless.
B.Use a StatefulSet with a headless service to assign stable network identities to pods.
C.Use GKE Ingress with session affinity (sticky sessions) to route requests to the same pod.
D.Store session state in Cloud SQL using a replicated database.
AnswerA

Redis provides a fast, scalable, shared session store that decouples session state from individual pods.

Why this answer

Option A is correct because migrating to a stateless architecture with Cloud Memorystore for Redis allows the application to scale horizontally without session state being tied to any single pod. By externalizing session state to a managed, highly available Redis service, any pod can handle any request, which is essential for high availability and autoscaling in GKE.

Exam trap

Google Cloud often tests the distinction between 'making the application stateless' versus 'using sticky sessions or StatefulSets'—the trap here is that candidates may think session affinity (Option C) is sufficient for high availability, but it actually creates a single point of failure at the pod level.

How to eliminate wrong answers

Option B is wrong because StatefulSets with headless services are designed for stateful workloads that require stable network identities and persistent storage, not for managing session state in a horizontally scalable stateless application. Option C is wrong because GKE Ingress with session affinity (sticky sessions) ties a client to a specific pod, which prevents true horizontal scaling and high availability—if that pod fails, the session is lost. Option D is wrong because Cloud SQL is a relational database not optimized for high-speed session state access; using it for session storage would introduce latency and unnecessary overhead compared to an in-memory data store like Redis.

210
Multi-Selecthard

A company uses Cloud KMS to encrypt sensitive data. They need to ensure that encryption key usage is audited and that keys are rotated automatically every 30 days. Which two actions should they take? (Choose two.)

Select 2 answers
A.Enable Data Access audit logs for the Cloud KMS API
B.Create a Cloud Trigger to manually rotate the key every month
C.Enable Cloud Key Management Service's key usage monitoring
D.Use Cloud External Key Manager to rotate keys externally
E.Enable key rotation on the key by setting a rotation period of 30 days
AnswersA, E

Data Access audit logs record every encrypt/decrypt operation for compliance.

Why this answer

Option A is correct because enabling Data Access audit logs for the Cloud KMS API captures detailed information about every encryption key usage, including who accessed the key, when, and what operation was performed. This meets the auditing requirement by recording all key usage events in Cloud Audit Logs, which can be reviewed for compliance and security analysis.

Exam trap

The trap here is that candidates often confuse 'key rotation' with 'key usage monitoring' or assume that manual triggers or external managers can satisfy the automatic rotation requirement, when in fact Cloud KMS provides a native rotation period setting that must be used.

211
MCQmedium

Refer to the exhibit. A Cloud Storage bucket has this IAM policy. What security recommendation should be made?

A.Remove the `allUsers` member and use signed URLs for public access.
B.Change `allUsers` to `allAuthenticatedUsers` to allow only authenticated users.
C.Enable uniform bucket-level access and update the IAM policy.
D.Remove the `roles/storage.objectViewer` role binding entirely.
AnswerA

Signed URLs provide controlled, temporary access without making the bucket publicly accessible.

Why this answer

The IAM policy grants `roles/storage.objectViewer` to `allUsers`, which makes the bucket's objects publicly readable by anyone on the internet. This is a security risk because it allows anonymous access without authentication or logging. The recommended practice is to remove the `allUsers` member and instead use signed URLs (which embed a time-limited access token) to grant temporary, controlled access to specific objects.

Exam trap

Google Cloud often tests the misconception that `allAuthenticatedUsers` is a secure alternative to `allUsers`, but the trap is that it still allows any authenticated identity (including attackers) to access the data, whereas signed URLs provide granular, revocable, and auditable access.

How to eliminate wrong answers

Option B is wrong because changing `allUsers` to `allAuthenticatedUsers` still allows any authenticated Google account (including attackers with a free account) to read the objects, which does not provide fine-grained access control and still exposes the data broadly. Option C is wrong because enabling uniform bucket-level access only ensures that all access is governed by IAM policies rather than ACLs, but it does not address the underlying problem of granting public access via `allUsers`. Option D is wrong because simply removing the role binding without replacing it with a secure access method (like signed URLs) would break all access to the objects, which is not a security recommendation but a denial of service.

212
MCQeasy

You are using Cloud SQL for PostgreSQL. You want to ensure that data can be recovered to any point within the last 7 days. What should you enable?

A.Export the database daily to Cloud Storage.
B.Create a cross-region read replica.
C.Enable automated backups with a 7-day retention period.
D.Enable automated backups and set the backup configuration to enable binary logging (point-in-time recovery).
AnswerD

Point-in-time recovery uses binary logs to replay transactions, enabling recovery to any second within the retention period.

Why this answer

Option D is correct because enabling automated backups with binary logging (also known as write-ahead logging or WAL archiving) in Cloud SQL for PostgreSQL allows point-in-time recovery (PITR). This lets you restore your database to any specific timestamp within the retention window, which you can set to 7 days. Automated backups alone only provide daily snapshot restores, not the granularity needed for recovery to any point in time.

Exam trap

The trap here is that candidates confuse automated backups (daily snapshots) with point-in-time recovery, assuming that a 7-day backup retention alone provides the ability to restore to any moment, when in fact binary logging (WAL archiving) is required for that granularity.

How to eliminate wrong answers

Option A is wrong because exporting the database daily to Cloud Storage creates static snapshots at a single point in time each day; you cannot recover to arbitrary timestamps between exports, and the process is manual or scheduled, not a continuous recovery mechanism. Option B is wrong because a cross-region read replica provides read-only copies for disaster recovery or read scaling, but it does not enable point-in-time recovery or retain transaction logs for the primary instance. Option C is wrong because enabling automated backups with a 7-day retention period only stores daily full backups; without binary logging (WAL archiving), you can only restore to the exact backup timestamps, not to any arbitrary point within the 7 days.

213
Multi-Selectmedium

Which TWO statements are true about Google Cloud VPC networks? (Select exactly 2.)

Select 2 answers
A.Each VPC network is regional in scope.
B.By default, no firewall rules are created in a new VPC.
C.Subnets are regional resources and can span zones.
D.VPC Peering allows private RFC 1918 connectivity across VPCs.
E.VPC Peering supports transitive routing.
AnswersC, D

Subnets are regional and each subnet can have IP ranges across zones.

Why this answer

Option C is correct because Google Cloud VPC subnets are regional resources that can span multiple zones within the same region. This allows resources in different zones to use the same subnet without requiring additional routing or VPN configuration, providing high availability and fault tolerance within a region.

Exam trap

The trap here is that candidates often confuse VPC scope with subnet scope, assuming VPCs are regional like in AWS, but Google Cloud VPCs are global, and they may also mistakenly believe VPC Peering supports transitive routing, which it explicitly does not.

214
MCQeasy

A small startup wants to deploy a containerized web application that scales automatically and only charges for resources used. They have limited operational experience. Which compute solution should they choose?

A.App Engine Standard Environment with a custom runtime.
B.Google Kubernetes Engine (GKE) with a multi-node pool.
C.Compute Engine with a managed instance group.
D.Cloud Run (fully managed).
AnswerD

Cloud Run manages scaling, and billing is based on request count and duration, ideal for startups with variable traffic.

Why this answer

Cloud Run is a fully managed serverless platform for containers that scales to zero and charges per request. Option A is wrong because GKE requires cluster management. Option B is wrong because App Engine Standard is for specific runtimes, not custom containers.

Option D is wrong because Compute Engine requires provisioning and scaling management.

215
MCQhard

The exhibit shows a managed instance group configuration. What is the primary purpose of the 'autoHealingPolicies' section?

A.Distribute incoming traffic evenly across the instances.
B.Automatically add more instances when CPU utilization exceeds 60%.
C.Automatically replace instances that are deemed unhealthy based on the health check.
D.Automatically update instances to a new instance template.
AnswerC

Autohealing monitors instance health and replaces unhealthy ones.

Why this answer

The 'autoHealingPolicies' section in a managed instance group configuration is specifically designed to automatically replace instances that are deemed unhealthy based on a configured health check. When a health check probe (e.g., HTTP, TCP, or SSL) fails for a sustained period, the managed instance group terminates the unhealthy instance and creates a new one from the instance template, ensuring the desired number of healthy instances is maintained. This is distinct from autoscaling, which adjusts instance count based on load metrics.

Exam trap

Google Cloud often tests the distinction between 'autohealing' (health-based instance replacement) and 'autoscaling' (metric-based instance count adjustment), causing candidates to confuse the purpose of the 'autoHealingPolicies' section with scaling policies.

How to eliminate wrong answers

Option A is wrong because distributing incoming traffic evenly across instances is the function of a load balancer (e.g., HTTP(S) Load Balancer or Network Load Balancer) and its backend service, not the 'autoHealingPolicies' section of a managed instance group. Option B is wrong because automatically adding instances when CPU utilization exceeds 60% is a function of the 'autoscaling' policy (based on a CPU utilization metric), not the 'autoHealingPolicies' section, which only reacts to health check failures. Option D is wrong because automatically updating instances to a new instance template is achieved through a 'rolling update' or 'canary update' strategy (e.g., using the 'updatePolicy' section), not through 'autoHealingPolicies', which only replaces unhealthy instances with the current template.

216
MCQhard

An organization is using Shared VPC with multiple projects. They want to allow a service project to use a Cloud SQL instance created in the host project. Which step is required?

A.Create the Cloud SQL instance with a private IP and enable Private Services Access in the host project
B.Grant the service project's Cloud SQL service account the Cloud SQL Client role on the host project
C.Configure VPC peering between host and service project
D.Enable the Cloud SQL Admin API in the service project
AnswerA

Private Services Access creates a VPC peering between the host project and the Cloud SQL service producer.

Why this answer

When using Shared VPC, a service project can use a Cloud SQL instance with a private IP from the host project's VPC. To enable this, the Cloud SQL instance must be created with a private IP and Private Services Access must be configured in the host project. This establishes a VPC peering connection between the host project's VPC and the Google-managed Cloud SQL service network, allowing the service project's resources to communicate with the instance via internal IP.

Exam trap

Google Cloud often tests the misconception that VPC peering between host and service projects is required, when in fact Shared VPC eliminates that need and the actual peering is with the Google-managed service network via Private Services Access.

How to eliminate wrong answers

Option B is wrong because granting the service project's Cloud SQL service account the Cloud SQL Client role on the host project is not required; the service account is used for instance-level operations, not for network connectivity between projects. Option C is wrong because VPC peering between the host and service project is not needed; Shared VPC already provides network connectivity, and the required peering is between the host project's VPC and the Cloud SQL service network via Private Services Access. Option D is wrong because enabling the Cloud SQL Admin API in the service project is necessary for managing Cloud SQL instances from that project, but it does not enable network access to an instance in the host project.

217
MCQhard

Refer to the exhibit. Which statement is true about this Deployment Manager template?

A.The VM will be created in the us-central1-b zone.
B.The VM will use a custom machine type.
C.The VM will have a public IP address.
D.The boot disk will not be deleted when the VM is deleted.
AnswerC

The ONE_TO_ONE_NAT access config assigns an ephemeral external IP.

Why this answer

Option C is correct because the Deployment Manager template in the exhibit includes the property `autoDelete: true` for the accessConfigs block, which configures a one-to-one NAT on the network interface. This automatically assigns an ephemeral external IP address to the VM, giving it a public IP address. The presence of `type: ONE_TO_ONE_NAT` under `accessConfigs` is the key indicator that a public IP is provisioned.

Exam trap

Google Cloud often tests the distinction between predefined and custom machine types, and candidates may mistakenly think any machine type specified with a full path is custom, but the key is the name pattern (e.g., `n1-standard-*` vs. `custom-*`).

How to eliminate wrong answers

Option A is wrong because the template specifies `zone: us-central1-a`, not us-central1-b. Option B is wrong because the template defines `machineType: zones/us-central1-a/machineTypes/n1-standard-1`, which is a predefined standard machine type (1 vCPU, 3.75 GB memory), not a custom type. Option D is wrong because the `disks` block includes `autoDelete: true`, which means the boot disk will be automatically deleted when the VM is deleted, contrary to the statement.

218
MCQmedium

A startup is deploying a microservices application on Google Kubernetes Engine (GKE) with a regional cluster. They have services that need to communicate with each other and also with external APIs. The cluster uses VPC-native routing. They have enabled Cloud NAT to allow outbound internet access for nodes without external IPs. However, the development team reports that some pods cannot reach the external APIs, while others can. All pods are in the same namespace and are not using any network policies. The pods that fail have the annotation 'cloud.google.com/gke-nat-ips' set to a list of static IP addresses. The pods that work do not have this annotation. What is the most likely cause of the failure?

A.Network policies are blocking outbound traffic for those pods.
B.The VPC-native routing is misconfigured for the pods with the annotation.
C.The annotation is used to assign static IPs for inbound traffic only.
D.The annotation 'cloud.google.com/gke-nat-ips' is not compatible with Cloud NAT for outbound traffic.
AnswerD

The annotation is used for specific use cases, not with Cloud NAT.

Why this answer

The annotation 'cloud.google.com/gke-nat-ips' is used to assign specific static IP addresses for outbound traffic from pods, but it is only compatible with the GKE Native Networking (formerly VPC-native) and the Cloud NAT gateway when the pods use the default NAT configuration. When this annotation is set, Cloud NAT is bypassed for those pods, and the traffic is sent directly from the specified static IPs, which may not be properly routed or may be blocked by the external API's firewall rules. In contrast, pods without the annotation use Cloud NAT's dynamic IPs, which are correctly routed and allowed.

Exam trap

The trap here is that candidates often assume the annotation is for inbound traffic or that it works seamlessly with Cloud NAT, but in reality, it overrides Cloud NAT for outbound traffic and requires careful IP management and firewall configuration.

How to eliminate wrong answers

Option A is wrong because the question explicitly states that no network policies are in use, so there is no policy blocking outbound traffic. Option B is wrong because VPC-native routing is correctly configured for the cluster and works for pods without the annotation; the issue is specific to the annotation's interaction with Cloud NAT, not a misconfiguration of VPC-native routing itself. Option C is wrong because the annotation 'cloud.google.com/gke-nat-ips' is specifically designed to assign static IPs for outbound traffic from pods, not inbound traffic; inbound traffic uses load balancers or ingress resources.

219
MCQmedium

A company is designing a multi-region architecture for disaster recovery. Their primary region is us-central1 and they want a warm standby in another region. The application runs on Compute Engine with a stateful backend. Which approach minimizes RTO while keeping costs reasonable?

A.Use Cloud SQL cross-region replication and start Compute Engine instances on failover
B.Use a managed instance group in the secondary region with persistent disk snapshots and Cloud Load Balancing failover
C.Replicate the application to Cloud Run in the secondary region
D.Set up a managed instance group with instance templates in the secondary region without pre-provisioned instances
AnswerB

This provides warm standby with data replicated via snapshots.

Why this answer

Option B minimizes RTO by pre-provisioning Compute Engine instances in the secondary region via a managed instance group, using persistent disk snapshots for stateful data. This warm standby approach keeps instances ready to serve traffic with minimal startup delay, while Cloud Load Balancing failover automatically redirects traffic on primary region failure, balancing cost and recovery speed.

Exam trap

Google Cloud often tests the distinction between warm and cold standby by making candidates think that database replication alone (Option A) or serverless migration (Option C) meets the warm standby requirement, but they fail to address the stateful Compute Engine backend's need for pre-provisioned compute capacity and persistent disk state synchronization.

How to eliminate wrong answers

Option A is wrong because Cloud SQL cross-region replication provides database redundancy, but starting Compute Engine instances on failover introduces significant RTO due to instance boot time and application initialization, making it a cold standby rather than warm. Option C is wrong because Cloud Run is a serverless platform that does not support stateful backends with persistent disks or warm standby configurations, and it cannot directly replicate a stateful Compute Engine application without significant refactoring. Option D is wrong because a managed instance group without pre-provisioned instances means no instances are running in the secondary region, resulting in a cold standby with high RTO from instance creation and boot time, failing the warm standby requirement.

220
MCQhard

A security administrator wants to ensure that a Cloud Storage bucket named `gs://my-bucket` is only accessible by service accounts, not user accounts. Which action should they take?

A.Remove the user from the `roles/storage.objectViewer` binding and add a condition to deny user access.
B.Add a bucket IAM condition that requires `resource.name.startsWith("projects/_/buckets/my-bucket/objects/")`
C.Use a VPC Service Controls perimeter to block user access.
D.Create a new IAM policy that removes all user members and adds a service account member with `roles/storage.objectAdmin`.
AnswerD

Removing user members ensures only service accounts have access, and granting objectAdmin to a service account meets the requirement.

221
MCQeasy

Refer to the exhibit. The output is from `gcloud compute instances describe instance-1 --format=json`. What can you conclude from this output?

A.The instance is billed based on the n1-standard-2 machine type.
B.The instance is using a custom machine type.
C.The instance is using committed use discounts.
D.The instance has a GPU attached.
AnswerA

The machine type determines the billing rate; n1-standard-2 is the type shown.

Why this answer

The output from `gcloud compute instances describe instance-1 --format=json` would include a `machineType` field that specifies the full URL of the machine type, such as `https://www.googleapis.com/compute/v1/projects/.../zones/.../machineTypes/n1-standard-2`. This confirms the instance is using the predefined n1-standard-2 machine type, which has 2 vCPUs and 7.5 GB of memory, and billing is based on that predefined type. The absence of a `custom` suffix or custom CPU/memory values in the machine type field indicates it is not a custom machine type.

Exam trap

Google Cloud often tests the distinction between predefined and custom machine types by hiding the machine type in the `machineType` URL, and candidates mistakenly think any non-standard name implies a custom type, but the key is checking for the `custom-` prefix or explicit CPU/memory fields.

How to eliminate wrong answers

Option B is wrong because a custom machine type would be indicated by a machine type URL ending with `custom-<vCPUs>-<memory>` (e.g., `custom-2-8192`) or by the presence of `custom` in the machine type name, which is not the case for `n1-standard-2`. Option C is wrong because committed use discounts are a billing-level commitment, not visible in the `gcloud compute instances describe` output; they would be shown in billing reports or the `gcloud compute commitments` command, not in instance metadata. Option D is wrong because a GPU attachment would be visible in the `accelerators` field of the instance description, which would list the GPU type and count; its absence means no GPU is attached.

222
Multi-Selecthard

A company is designing a hybrid network architecture connecting an on-premises data center to Google Cloud. They need high availability (99.99% SLA) and bandwidth up to 10 Gbps. They also need to use their existing MPLS circuits. Which THREE components should they include in the design? (Choose three.)

Select 3 answers
A.Two VLAN attachments to two different edge availability domains.
B.BGP sessions from each on-premises router to each Cloud Router.
C.Cloud CDN to cache content and reduce latency.
D.Dedicated Interconnect connections with at least two redundant links.
E.Cloud VPN tunnels with multiple gateways for failover.
AnswersA, B, D

Using multiple VLAN attachments across different edge availability domains provides redundancy and high availability, meeting the 99.99% SLA.

Why this answer

Option A is correct because VLAN attachments in Google Cloud are associated with edge availability domains (EADs), which represent physically independent failure domains within a zone. By attaching two VLAN attachments to two different EADs, the design ensures that a failure in one EAD does not affect the other, supporting the 99.99% SLA requirement. This is a key component of a highly available Dedicated Interconnect or Partner Interconnect setup.

Exam trap

The trap here is that candidates often confuse Cloud CDN or Cloud VPN as viable options for high-bandwidth, high-availability hybrid connectivity, but they fail to meet the 10 Gbps throughput and 99.99% SLA requirements, which only Dedicated Interconnect with redundant links and proper BGP configuration can satisfy.

223
MCQmedium

A company uses Cloud Composer to manage Apache Airflow workflows. They want to optimize costs. Which practice is most effective?

A.Configure auto scaling for the Cloud Composer environment
B.Use preemptible VMs for Airflow schedulers
C.Replace Cloud Composer with Cloud Functions for all workflows
D.Use small machine types for all Composer components
AnswerA

Auto scaling dynamically adjusts the number of workers to match demand.

Why this answer

Cloud Composer supports autoscaling for its workers, which dynamically adjusts the number of worker pods based on the Airflow task queue depth. This directly optimizes costs by scaling down during low-load periods and scaling up only when needed, avoiding over-provisioning.

Exam trap

The trap here is that candidates often assume preemptible VMs are always the best cost-saving measure, but they fail to recognize that Airflow schedulers and other critical components require persistent, reliable compute resources, making autoscaling a safer and more effective optimization.

How to eliminate wrong answers

Option B is wrong because preemptible VMs cannot be used for Airflow schedulers; schedulers must be reliable and stateful, and preemptible VMs can be terminated at any time, causing workflow failures. Option C is wrong because Cloud Functions is not a replacement for Cloud Composer; Cloud Functions is designed for event-driven, short-lived tasks, not for orchestrating complex, long-running, or dependency-heavy workflows that Airflow handles. Option D is wrong because using small machine types for all components, especially the scheduler and database, can lead to performance bottlenecks, task queuing, and failures, ultimately increasing costs due to retries and delays.

224
Multi-Selectmedium

Which TWO are best practices when designing a VPC network for a multi-tier application in Google Cloud?

Select 2 answers
A.Disable VPC Flow Logs to reduce cost.
B.Create separate subnets for each application tier.
C.Use firewall rules to restrict traffic between tiers to only necessary ports.
D.Use a single subnet for all tiers to simplify IP management.
E.Rely on the default priority of firewall rules to ensure proper ordering.
AnswersB, C

Subnets allow segmentation and granular firewall rules.

Why this answer

Option B is correct because creating separate subnets for each application tier (e.g., web, application, database) allows you to apply granular firewall rules and routing policies per tier. This segmentation improves security by isolating traffic between tiers and aligns with Google Cloud's best practices for multi-tier architectures. It also simplifies network troubleshooting and scaling by keeping each tier's IP space distinct.

Exam trap

The trap here is that candidates assume a single subnet simplifies management (Option D) or that disabling flow logs is a harmless cost-saving measure (Option A), but the exam expects you to prioritize security and observability over minor cost savings or administrative convenience.

225
MCQmedium

A financial services company requires that all data stored in Cloud Storage be encrypted with keys they manage, rotate, and audit. They also need to enforce encryption at the bucket level. Which configuration should they use?

A.Use default Google-managed encryption
B.Use Cloud KMS with customer-managed encryption keys (CMEK)
C.Use customer-supplied encryption keys (CSEK)
D.Enable CMEK at the bucket level with a Cloud KMS key
AnswerB

CMEK provides key rotation and audit through Cloud KMS.

Why this answer

Option B is correct because customer-managed encryption keys (CMEK) with Cloud KMS allow the company to manage, rotate, and audit their own encryption keys while enforcing encryption at the bucket level. This meets the requirement of controlling key lifecycle and auditing, as Cloud KMS integrates with Cloud Audit Logs for key usage tracking.

Exam trap

The trap here is that candidates confuse CSEK with CMEK, thinking CSEK provides key management and auditing, when in fact CSEK requires the client to supply the key per request and lacks rotation and audit capabilities at the bucket level.

How to eliminate wrong answers

Option A is wrong because default Google-managed encryption uses Google-owned keys that the customer cannot manage, rotate, or audit, failing the key control requirement. Option C is wrong because customer-supplied encryption keys (CSEK) require the client to provide the key with each API call and do not support key rotation or auditing at the bucket level; they are also not persistent and cannot be enforced as a bucket-level policy. Option D is wrong because CMEK is already enabled at the bucket level by specifying a Cloud KMS key; the phrasing 'Enable CMEK at the bucket level with a Cloud KMS key' is redundant and misleading—CMEK is the mechanism, not a separate toggle, and the correct configuration is to set the bucket's default encryption to a CMEK key.

Page 2

Page 3 of 7

Page 4

All pages