Google Professional Cloud Architect (PCA) — Questions 301375

509 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQmedium

After deploying the above configuration, the application is not receiving traffic from the Kubernetes Service. The Service is correctly configured to target port 8080. What is the most likely issue?

A.The initialDelaySeconds for readiness probe is too short; increase it.
B.The port name is not defined; add a name to the container port.
C.The readiness probe is using HTTP but the container may not be ready on that path; change to TCP.
D.The image pull policy is not set to Always; new pods may use stale image.
E.The liveness probe uses tcpSocket; it should be HTTPGet.
AnswerC

If /healthz is not served, the probe fails and pod is not ready.

Why this answer

Option C is correct because the readiness probe is configured as an HTTP GET request, but the application container may not be serving traffic on the specified HTTP path at startup. If the application listens on a TCP port but does not respond to HTTP GET on that path, the readiness probe will fail, causing the Service to not route traffic to the Pod. Changing the readiness probe to a TCP socket check ensures the probe only verifies that the port is open, which is more reliable when the application does not expose an HTTP endpoint for health checks.

Exam trap

Google Cloud often tests the distinction between readiness and liveness probes, and the trap here is that candidates confuse a failing readiness probe with a liveness probe issue, or assume that any HTTP probe is better than TCP without considering the application's actual behavior.

How to eliminate wrong answers

Option A is wrong because the initialDelaySeconds for the readiness probe being too short would cause the probe to start too early, potentially failing temporarily, but the application would eventually become ready; the issue described is that the application never receives traffic, indicating a persistent probe failure, not a timing issue. Option B is wrong because the port name is optional for Service targeting; the Service correctly targets port 8080 by number, so a missing port name does not prevent traffic routing. Option D is wrong because the image pull policy not being set to Always does not affect traffic routing; it only controls when the image is pulled, and stale images would still run and serve traffic if the container starts.

Option E is wrong because the liveness probe using tcpSocket is valid and does not affect traffic routing; the liveness probe is for restarting the container, not for Service traffic distribution.

302
MCQmedium

Which traffic will this rule allow?

A.Outbound TCP traffic on ports 80 and 443 from instances with tag 'web-server' to IP ranges
B.Inbound TCP traffic on ports 80 and 443 from IP ranges to all instances
C.Inbound TCP traffic on ports 80 and 443 from any IP address to instances with tag 'web-server'
D.Inbound TCP traffic on ports 80 and 443 from IP ranges to instances with tag 'web-server'
AnswerD

Matches the rule definition exactly.

Why this answer

The rule allows inbound TCP on ports 80 and 443 from the specified IP ranges to instances tagged 'web-server'. It does not apply to all instances and is not outbound.

303
MCQmedium

A company uses preemptible VMs for batch processing. They notice that during peak hours, many instances are terminated before finishing their tasks. The operations team observes the output shown in the exhibit. Which action would best improve job completion rates without significantly increasing costs?

A.Increase the number of instances to compensate for terminations
B.Use sole-tenant nodes for these instances
C.Use instance groups with a mix of preemptible and regular VMs
D.Use committed use discounts for 1 year
E.Switch to regular VMs for critical jobs
AnswerC

Combines cost savings of preemptible with reliability of regular VMs.

Why this answer

Option C is correct because using a mixed instance group with both preemptible and regular VMs allows the batch processing job to continue on regular VMs when preemptible VMs are terminated during peak hours. This balances cost and reliability: preemptible VMs handle most of the workload at low cost, while regular VMs act as a fallback to ensure job completion without the full expense of switching entirely to regular VMs.

Exam trap

Google Cloud often tests the misconception that simply adding more preemptible VMs or switching entirely to regular VMs is the solution, but the correct answer requires a hybrid approach that balances cost and reliability using instance groups with a mix of VM types.

How to eliminate wrong answers

Option A is wrong because simply increasing the number of preemptible instances does not address the root cause of terminations during peak hours; it only increases the likelihood of more terminations and may lead to higher costs from repeated restarts. Option B is wrong because sole-tenant nodes provide dedicated hardware but do not prevent preemption; they are used for compliance or licensing, not for improving job completion rates of preemptible VMs. Option D is wrong because committed use discounts require a 1-year commitment and apply to regular VMs, not preemptible VMs, so they would increase costs without solving the termination issue.

Option E is wrong because switching all critical jobs to regular VMs would significantly increase costs, as regular VMs are more expensive than preemptible VMs, and the question asks for an improvement without significantly increasing costs.

304
MCQeasy

A company wants to restrict data exfiltration from its Google Cloud projects by preventing resources from copying data to external IP addresses. Which service should they use?

A.HTTPS Load Balancer
B.VPC Service Controls
C.Cloud Armor
D.Cloud NAT
AnswerB

VPC Service Controls create a security perimeter around resources to prevent data exfiltration.

Why this answer

VPC Service Controls provide a security perimeter to reduce data exfiltration risk. Option A is wrong because Cloud Armor is for DDoS/ WAF protection. Option B is wrong because Cloud NAT allows outbound connectivity, not restriction.

Option D is wrong because HTTPS load balancers do not prevent data exfiltration.

305
Multi-Selectmedium

A company is deploying a microservices application on Google Kubernetes Engine (GKE). They want to ensure that the cluster can automatically scale based on custom metrics, such as the number of pending requests per pod. Which two steps should they take? (Choose TWO)

Select 2 answers
A.Deploy the Metrics Server in the cluster to expose custom metrics via the Custom Metrics API.
B.Modify the application to expose custom metrics via an endpoint and configure the HPA to reference the custom metric.
C.Enable the Cloud Monitoring API and create a custom dashboard to track pending requests.
D.Configure a HorizontalPodAutoscaler (HPA) with the target average CPU utilization set to 80%.
E.Enable GKE Autopilot mode to automatically manage scaling based on custom metrics.
AnswersA, B

The Metrics Server provides the Custom Metrics API, enabling HPA to use custom metrics.

Why this answer

Option A is correct because the Metrics Server is required to expose custom metrics via the Custom Metrics API in GKE. Without it, the HorizontalPodAutoscaler (HPA) cannot retrieve the custom metrics needed for scaling decisions. Option B is correct because the application must expose custom metrics (e.g., pending requests) through an endpoint, and the HPA must be configured to reference that custom metric name to trigger scaling based on that specific value.

Exam trap

The trap here is confusing the Metrics Server (which exposes resource metrics) with the need for a custom metrics adapter; candidates often think the Metrics Server alone handles custom metrics, but it only serves CPU/memory, not application-level custom metrics like pending requests.

306
MCQmedium

A company wants to allow developers to create service accounts in a project but prevent them from granting the 'roles/iam.serviceAccountUser' role to any user. Which organization policy constraint should they set?

A.Set the constraint 'iam.restrictGrantableRoles' to ['roles/iam.serviceAccountUser'].
B.Set the constraint 'iam.allowedPolicyMemberDomains' to include only the company's domain.
C.Set the constraint 'iam.disableServiceAccountKeyCreation' to True.
D.Set the constraint 'iam.workloadIdentityPoolProviders' to deny all.
AnswerA

This constraint prevents granting the specified role, even if the user has permission to grant roles.

Why this answer

Option A is correct because 'iam.disableServiceAccountKeyCreation' disables service account key creation, not role granting. Option B is correct because 'iam.allowedPolicyMemberDomains' restricts which domains can be granted roles. Actually the correct constraint to prevent granting roles is 'iam.restrictGrantableRoles'.

Wait, let's think: The question asks to prevent developers from granting a specific role. The correct constraint is 'iam.restrictGrantableRoles' which allows you to restrict the roles that can be granted. Option B is about domains.

Option D is about denying usage of service account impersonation? Actually, the correct answer is 'Workload Identity pools' not a constraint. The correct constraint is 'iam.restrictGrantableRoles'. So I need to pick the right one.

Let's correct: Option A: iam.disableServiceAccountKeyCreation - that prevents creating keys, not granting roles. Option B: iam.allowedPolicyMemberDomains - limits which domains can be members. Option C: iam.restrictGrantableRoles - limits which roles can be granted.

Option D: iam.workloadIdentityPoolProviders - for workload identity. So the correct is Option C. I need to adjust the JSON accordingly.

Actually in the JSON below I had a mistake. I'll correct now.

307
MCQhard

A company is using Cloud Armor with HTTP Load Balancing to protect a web application. They want to block traffic from specific IP ranges for all requests except those that include a valid reCAPTCHA token. Which Cloud Armor rule configuration should they use?

A.Use a rate-based rule to limit requests from those IP ranges and add a reCAPTCHA action.
B.Create a whitelist rule for the IP ranges and attach it as a deny rule with higher priority.
C.Create a deny rule for the IP ranges with a condition that the request does not contain a valid reCAPTCHA token.
D.Use Identity-Aware Proxy (IAP) to block the IPs and reCAPTCHA for others.
AnswerC

Deny unless token present; token evaluation via Cloud Armor rules.

Why this answer

Option C is correct because Cloud Armor security rules support boolean conditions using operators like `request.path` or custom headers. By creating a deny rule for the specific IP ranges with a condition that the request does not contain a valid reCAPTCHA token (evaluated via the `hasRecaptchaToken()` function), you allow traffic from those IPs only when the token is present. This directly implements the requirement without affecting other traffic.

Exam trap

The trap here is confusing Cloud Armor's rule-based conditional logic with rate limiting or identity-based access controls, leading candidates to choose rate-based rules (A) or IAP (D) instead of recognizing that a deny rule with a condition on reCAPTCHA token presence directly solves the requirement.

How to eliminate wrong answers

Option A is wrong because rate-based rules limit request frequency, not block IP ranges based on reCAPTCHA presence; they would still allow some requests without a token. Option B is wrong because a whitelist rule allows traffic by default, and attaching it as a deny rule with higher priority contradicts the whitelist concept; Cloud Armor evaluates rules by priority, and a deny rule for those IPs would block all traffic regardless of reCAPTCHA. Option D is wrong because IAP is an identity and access management layer for authentication, not a network-level IP blocking mechanism; it cannot conditionally block IPs based on reCAPTCHA tokens.

308
Multi-Selecteasy

A company is designing a data processing pipeline in Google Cloud that must be HIPAA compliant. Which three security features should they implement? (Choose three.)

Select 3 answers
A.Encrypt data in transit using TLS
B.Enable Data Loss Prevention (DLP) for data classification
C.Use Cloud CDN for faster delivery
D.Implement VPC Service Controls to prevent data exfiltration
E.Use Cloud HSM for encryption keys
AnswersA, D, E

Required by HIPAA for data in transit.

Why this answer

HIPAA requires encryption of data in transit and at rest. Using Cloud HSM for CMEK provides strong encryption at rest. VPC Service Controls help restrict data access.

DLP is useful for identifying PHI but not mandatory; CDN is not a security feature.

309
MCQeasy

A company is migrating a legacy monolithic application to Google Cloud. The application currently runs on a single on-premises server and uses a local MySQL database. The company wants to minimize changes to the application code while improving scalability and reliability. Which migration strategy should the architect recommend?

A.Refactor the application into microservices and deploy on Google Kubernetes Engine.
B.Rehost the application on Compute Engine and use Cloud SQL for MySQL as the database.
C.Containerize the application with Docker and run it on Cloud Run.
D.Migrate the database to Firestore and rewrite the application to use Firestore APIs.
AnswerB

Rehosting on Compute Engine with Cloud SQL minimizes changes and improves scalability and reliability.

Why this answer

Option B is correct because rehosting (lift-and-shift) the monolithic application to Compute Engine with Cloud SQL for MySQL minimizes code changes while improving scalability and reliability. Cloud SQL provides managed MySQL with automated backups, replication, and failover, addressing the need for reliability without requiring application refactoring.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing containerization or microservices, forgetting that the primary constraint is minimizing code changes, not modernizing the architecture.

How to eliminate wrong answers

Option A is wrong because refactoring into microservices and deploying on GKE introduces significant code changes and complexity, contradicting the requirement to minimize changes. Option C is wrong because containerizing with Docker and running on Cloud Run requires the application to be stateless and HTTP-driven, which a legacy monolithic app with a local MySQL database typically is not; Cloud Run also does not support stateful workloads or persistent MySQL connections natively. Option D is wrong because migrating to Firestore and rewriting the application to use Firestore APIs requires substantial code changes and a shift from SQL to NoSQL, violating the minimize-changes constraint.

310
MCQhard

An organization wants to enforce that all Compute Engine VMs are created with specific disk encryption keys. Which policy mechanism should they use?

A.Organization policies with constraints/compute.restrictDiskEncryptionKeyTypes
B.IAM roles with compute.diskEncryptionKey permissions
C.VPC Service Controls
D.Cloud Scheduler to check compliance
AnswerA

Enforces allowed encryption key types at the org level.

Why this answer

Option A is correct because the Organization Policy constraint `constraints/compute.restrictDiskEncryptionKeyTypes` allows administrators to enforce that all Compute Engine VMs must use specific disk encryption key types (e.g., CMEK or CSEK). This policy is evaluated at resource creation time and blocks any VM that does not comply with the allowed key types, providing a preventive control rather than a reactive one.

Exam trap

The trap here is confusing IAM permissions (who can do something) with Organization Policy constraints (what is allowed to be done), leading candidates to choose IAM roles instead of the correct policy mechanism.

How to eliminate wrong answers

Option B is wrong because IAM roles with `compute.diskEncryptionKey` permissions control who can set or view encryption keys, but they do not enforce which key types must be used on VMs; IAM is an authorization mechanism, not a policy enforcement mechanism. Option C is wrong because VPC Service Controls are designed to protect data exfiltration by controlling access to Google Cloud APIs from outside a VPC perimeter, not to enforce disk encryption key types on Compute Engine VMs. Option D is wrong because Cloud Scheduler is a cron-like job scheduler that can trigger compliance checks, but it is a reactive, after-the-fact mechanism and cannot prevent non-compliant VM creation in real time.

311
Multi-Selecthard

A financial services company must meet PCI DSS compliance requirements for a Google Kubernetes Engine (GKE) cluster processing credit card data. Which TWO actions are required to help achieve PCI DSS compliance? (Choose two.)

Select 2 answers
A.Enable GKE Dataplane V2 for network policy enforcement.
B.Enable Shielded GKE nodes.
C.Configure Cloud Audit Logs for the cluster.
D.Use GKE Sandbox for all untrusted workloads.
E.Enable Binary Authorization on the cluster.
AnswersB, E

Shielded nodes provide verifiable integrity of the node's boot and kernel, a PCI DSS requirement.

Why this answer

Options B and D are correct. Binary Authorization ensures only signed container images are deployed, meeting code integrity requirements. Shielded GKE nodes provide verifiable integrity of the node's boot and kernel, ensuring the underlying infrastructure is secure.

Option A is wrong because GKE Dataplane V2 is a network policy enforcement mechanism but not a specific PCI DSS requirement. Option C is wrong because GKE Sandbox is for workload isolation but not explicitly required by PCI DSS. Option E is wrong because Cloud Audit Logs are already enabled by default and not an additional requirement.

312
MCQhard

An organization uses Cloud SQL for MySQL in a production environment. They need to ensure high availability with automatic failover in case of a zonal failure. Which configuration should they use?

A.Create a read replica in a different region.
B.Create a regional Cloud SQL instance with automatic failover.
C.Export the database daily and import into a new instance if failure occurs.
D.Deploy Cloud SQL across multiple regions using cross-region replication.
AnswerB

Regional instances provide a synchronous standby in another zone and automatic failover.

Why this answer

A regional Cloud SQL instance with automatic failover uses a primary and a standby zone within the same region, with synchronous replication between them. If the primary zone fails, Cloud SQL automatically promotes the standby to primary, ensuring high availability without data loss. This configuration meets the requirement for automatic failover during a zonal failure.

Exam trap

The trap here is that candidates confuse cross-region replication (available for other database engines) with the zonal high-availability feature for Cloud SQL for MySQL, or assume that a read replica can be used for automatic failover when it requires manual promotion.

How to eliminate wrong answers

Option A is wrong because a read replica in a different region provides read scalability and disaster recovery across regions, but it does not support automatic failover for the primary instance; failover would require manual promotion, which is not automatic. Option C is wrong because daily exports and manual imports are a backup and restore strategy, not a high-availability solution; it introduces significant downtime and potential data loss, failing the automatic failover requirement. Option D is wrong because Cloud SQL for MySQL does not support cross-region replication for automatic failover; cross-region replication is available for Cloud SQL for PostgreSQL and SQL Server, but for MySQL, it is limited to read replicas, which do not provide automatic failover.

313
MCQmedium

A company is migrating an on-premises PostgreSQL database to Cloud SQL with minimal downtime. The database is 1 TB and the network link has 500 Mbps bandwidth. Which migration approach is most appropriate?

A.Set up a Compute Engine instance with PostgreSQL replication and switch over.
B.Use BigQuery Data Transfer Service to replicate data.
C.Export the database as a SQL dump, transfer it to Cloud Storage, and import into Cloud SQL.
D.Use Database Migration Service to perform continuous replication and then promote Cloud SQL.
AnswerD

Database Migration Service supports continuous replication from on-premises to Cloud SQL with minimal downtime.

Why this answer

Database Migration Service (DMS) supports continuous replication from on-premises PostgreSQL to Cloud SQL using native PostgreSQL logical replication (pglogical or native publication/slot). This allows near-zero downtime by keeping the target in sync until promotion, which is ideal for a 1 TB database over a 500 Mbps link where a full dump/restore would take hours.

Exam trap

Google Cloud often tests the misconception that a simple dump-and-import (Option C) is acceptable for large databases, but the trap here is ignoring the 'minimal downtime' requirement, which demands a continuous replication solution like DMS rather than a batch export/import.

How to eliminate wrong answers

Option A is wrong because setting up a Compute Engine instance with PostgreSQL replication requires manual configuration of replication slots, failover scripts, and does not integrate with Cloud SQL's managed service, adding operational overhead and risk. Option B is wrong because BigQuery Data Transfer Service is designed for loading data into BigQuery, not for replicating PostgreSQL databases to Cloud SQL; it cannot perform continuous replication or handle transactional consistency. Option C is wrong because exporting a 1 TB database as a SQL dump and transferring it over a 500 Mbps link would take approximately 4.5 hours (1 TB * 8 / 500 Mbps) plus import time, causing significant downtime, and it does not support continuous replication for minimal downtime.

314
Multi-Selecthard

A company wants to deploy a stateful application with strict low-latency requirements across multiple zones in a single region. They need to minimize inter-zone latency. Which THREE actions should they take? (Choose 3)

Select 3 answers
A.Place application instances in the same zone to minimize network hops
B.Use zonal SSD persistent disks
C.Deploy instances in a managed instance group across multiple zones
D.Use a regional internal TCP/UDP load balancer
E.Use Dedicated Interconnect for on-premises connection
AnswersA, B, D

Same zone reduces latency.

Why this answer

Option A is correct because placing all application instances in the same zone eliminates cross-zone network hops, which directly reduces inter-zone latency to near zero. For a stateful application with strict low-latency requirements, this co-location ensures that traffic between instances stays within a single failure domain, avoiding the additional latency introduced by traversing zone boundaries.

Exam trap

The trap here is that candidates often assume multi-zone deployment is always required for high availability, but the question explicitly prioritizes minimizing inter-zone latency, making same-zone placement the correct choice despite the trade-off in fault tolerance.

315
MCQeasy

A company runs a batch job every night that processes large CSV files stored in Cloud Storage. The job runs on a single Compute Engine VM and takes 4 hours to complete. The team wants to reduce execution time without increasing cost substantially. The job is CPU-intensive and can be parallelized. What should they do?

A.Migrate the job to Dataproc and run it as a Spark job.
B.Use Cloud Batch to run the job as a batch job that automatically scales.
C.Use a VM with more vCPUs and a higher CPU platform.
D.Split the input files into smaller chunks and use multiple VMs in a managed instance group with a job scheduler.
AnswerD

Parallelizing across multiple VMs reduces execution time with linear cost increase.

Why this answer

Option B is correct: splitting input files and using multiple VMs in a managed instance group leverages parallelism effectively. Option A (bigger VM) increases cost. Option C (Cloud Batch) still requires parallelization design.

Option D (Dataproc) may introduce overhead and cost.

316
Multi-Selecthard

Which THREE factors should be considered when selecting a machine series for a Compute Engine instance running a memory-intensive batch job?

Select 3 answers
A.Network throughput.
B.Sustained use discount.
C.GPU availability.
D.Memory per vCPU ratio.
E.vCPU count.
AnswersA, D, E

Batch jobs often involve data transfer; higher throughput reduces time.

Why this answer

Network throughput (A) is a critical factor for a memory-intensive batch job because such jobs often involve reading or writing large datasets from persistent storage or other sources over the network. The instance series must provide sufficient network bandwidth to avoid I/O bottlenecks that could extend job completion time, even if the compute and memory resources are adequate.

Exam trap

Google Cloud often tests the distinction between factors that influence technical workload performance (like network throughput and memory ratio) versus cost-saving mechanisms (like sustained use discounts) that are applied automatically and do not affect the suitability of a machine series.

317
MCQmedium

A company uses Cloud Storage for backups of on-premises databases. They want to ensure that data is protected against accidental deletion or modification by users. Which combination of features should they enable?

A.Object versioning and lifecycle management to delete old versions.
B.Bucket locking with retention policy and bucket-level IAM restrictions.
C.Bucket locking with retention policy and object holds.
D.Object versioning and bucket locking with retention policy.
E.Object versioning and IAM conditions restricting access to specific IP ranges.
AnswerD

Versioning preserves overwrites; retention policy prevents deletion.

Why this answer

Option D is correct because object versioning protects against accidental deletion or modification by preserving all versions of an object, while a bucket lock with a retention policy enforces a minimum retention period, preventing premature deletion or alteration. Together, they provide both recoverability and immutable compliance, which is essential for backup data integrity.

Exam trap

Google Cloud often tests the misconception that object holds alone provide sufficient immutability, but they are per-object and temporary, whereas a bucket lock with a retention policy provides a bucket-wide, locked-in immutable period that cannot be bypassed even by the bucket owner.

How to eliminate wrong answers

Option A is wrong because lifecycle management to delete old versions actively removes data, which contradicts the goal of protecting against accidental deletion. Option B is wrong because bucket-level IAM restrictions alone do not prevent a user with sufficient permissions from deleting or modifying objects; they lack the versioning-based recovery mechanism. Option C is wrong because object holds are temporary and must be manually applied per object, making them impractical for broad backup protection and not providing the automatic version history that versioning offers.

Option E is wrong because IAM conditions restricting access to specific IP ranges only control network-level access, not the ability to delete or modify objects once accessed, and they do not provide any data recovery or immutability features.

318
Multi-Selectmedium

A company is using Cloud NAT to allow instances in a private subnet to access the internet for updates. The security team wants to audit outbound connections. Which TWO steps should be taken to enable flow logs for Cloud NAT?

Select 2 answers
A.Enable private Google access on the subnet
B.Configure a log sink to export Cloud NAT logs to BigQuery
C.Enable VPC Flow Logs on the subnet
D.Create a new Cloud NAT gateway with logging enabled
E.Update the existing Cloud NAT gateway to enable flow logs
AnswersB, E

Exporting to BigQuery enables analysis and auditing of the flow logs.

Why this answer

Cloud NAT flow logs provide detailed records of outbound connections and are enabled directly on the Cloud NAT gateway itself. Option B is correct because configuring a log sink to export Cloud NAT logs to BigQuery is a valid step to audit outbound connections, but the primary step to enable logging is to update the existing Cloud NAT gateway to enable flow logs (Option E). Together, these two steps (B and E) allow you to capture and analyze outbound traffic for auditing.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs with Cloud NAT flow logs, thinking that enabling VPC Flow Logs on the subnet will capture NAT traffic, but Cloud NAT flow logs are a distinct feature that must be enabled specifically on the NAT gateway itself.

319
MCQeasy

A developer needs to grant public read access to all objects in a Cloud Storage bucket named 'my-public-assets'. What is the simplest way to achieve this?

A.Set a bucket policy that allows allUsers to read objects.
B.Grant storage.objectViewer to AllUsers on the bucket without enabling uniform bucket-level access.
C.Enable uniform bucket-level access and grant storage.objectViewer to AllUsers.
D.Set an ACL on each object to allow public read.
AnswerC

This is the recommended approach for public buckets.

Why this answer

Option C is correct: AllUsers with storage.objectViewer on the bucket grants public read access to all objects. Option A requires setting ACLs per object. Option B is for uniform bucket-level access but that would require an additional step.

Option D is wrong; bucket policy only is not sufficient without AllUsers.

320
MCQhard

A financial services company uses Cloud SQL for MySQL for a critical application. They need zero downtime during maintenance and automatic failover across zones. They configured a Cloud SQL instance with high availability (HA). During a recent regional outage, the application experienced 10 minutes of downtime. What should they add to improve availability?

A.Configure a warm standby instance in another region using migration.
B.Create a cross-region replica and promote on failure.
C.Use Cloud SQL Proxy with multiple endpoints.
D.Enable database flags for faster failover detection.
AnswerB

Cross-region replica can be promoted to a new primary to handle regional failures.

Why this answer

Option B is correct because a cross-region replica provides a read-replica in a different region that can be promoted to a primary instance during a regional outage, enabling recovery with minimal downtime. This addresses the scenario where a single-region HA configuration (which uses zonal redundancy within the same region) cannot survive a full regional outage, as occurred in the question. Promoting the replica is a manual or automated failover action that restores write capability in the secondary region, reducing downtime from 10 minutes to seconds or minutes depending on replication lag.

Exam trap

The trap here is that candidates assume HA (zonal redundancy) protects against all outages, but the PCA exam tests understanding that HA is regional and cannot survive a full regional failure, requiring cross-region replicas for disaster recovery.

How to eliminate wrong answers

Option A is wrong because configuring a warm standby instance via migration implies a manual, non-automated process that does not provide automatic failover; it also requires additional setup and does not leverage Cloud SQL's built-in cross-region replica feature for seamless promotion. Option C is wrong because Cloud SQL Proxy is a tool for secure connectivity and connection pooling, not for failover or regional redundancy; multiple endpoints do not enable automatic failover across zones or regions. Option D is wrong because database flags for faster failover detection (e.g., innodb_flush_log_at_trx_commit) can improve performance but do not address regional outages; HA failover within a zone is already fast, but the issue is the entire region being unavailable.

321
MCQhard

Your company runs a multi-tier web application on Google Kubernetes Engine (GKE). The application consists of a frontend service, a backend API service, and a PostgreSQL database deployed using a StatefulSet with persistent volumes. The backend service exposes a gRPC endpoint. Recently, the team noticed that the backend service experiences intermittent high latency and occasional timeouts. The frontend service is stateless and scales well. The backend service is CPU-bound. The database is not the bottleneck. The cluster has three nodes of type n1-standard-4. The backend service is deployed with 10 replicas, each requesting 1 CPU and 2 Gi memory. Node utilization is around 70% CPU. The team suspects the network is the issue. However, after reviewing the GKE monitoring dashboard, they see that the network bytes sent/received per second for the backend pods is well below the node's network bandwidth limit. The latency spikes seem correlated with periods of high CPU throttling on the backend pods. The backend service's gRPC requests are small (under 1 KB), and the responses are also small. The team has already optimized the application code. What should the team do to reduce latency?

A.Increase the number of nodes in the cluster to reduce network contention.
B.Increase the number of backend replicas to 20.
C.Increase the CPU request for the backend pods to 2 CPUs.
D.Increase the memory request for the backend pods to 4 Gi.
AnswerC

More CPU will reduce throttling and latency.

Why this answer

The correct answer is C because the latency spikes correlate with CPU throttling, and increasing the CPU request to 2 CPUs ensures that each backend pod receives a guaranteed CPU share, reducing throttling under load. Since the backend is CPU-bound and node utilization is 70%, the current 1 CPU request may be insufficient, causing the Kubernetes CPU manager to throttle the pods when the node's CPU is contended. This directly addresses the root cause without adding unnecessary replicas or memory.

Exam trap

The trap here is that candidates may focus on network or scaling solutions (A or B) because the symptom is latency, but the monitoring data explicitly points to CPU throttling, not network saturation, making CPU request adjustment the precise fix.

How to eliminate wrong answers

Option A is wrong because network contention is not the issue—monitoring shows network bytes are well below node bandwidth limits, and the problem is CPU throttling, not network. Option B is wrong because increasing replicas to 20 would increase CPU contention on the existing nodes, worsening throttling and latency, and the frontend already scales well. Option D is wrong because the backend is CPU-bound, not memory-bound; increasing memory does not alleviate CPU throttling and would waste resources.

322
MCQmedium

A company is migrating on-premises workloads to Google Cloud. They have a critical application that requires consistent low-latency access to a database, with read replicas in multiple regions for disaster recovery. The application is expected to grow by 10x over the next year. Which database service and configuration should the architect choose to meet these requirements?

A.Use Cloud Bigtable with multi-region replication
B.Use Cloud SQL for PostgreSQL with cross-region read replicas
C.Use Cloud Spanner with multi-region configuration
D.Use Firestore in native mode with multi-region location
AnswerC

Cloud Spanner offers global strong consistency, automatic replication, and horizontal scalability.

Why this answer

Cloud Spanner with a multi-region configuration is the correct choice because it provides strong global consistency, low-latency reads and writes across regions, and automatic horizontal scaling to handle a 10x growth in workload. Its multi-region replication ensures synchronous replication for disaster recovery while maintaining ACID transactions, which is critical for a database requiring consistent low-latency access.

Exam trap

The trap here is that candidates often confuse Cloud Spanner's multi-region capabilities with simpler replication options like Cloud SQL read replicas or Bigtable's eventual consistency, failing to recognize that only Spanner provides strong global consistency and horizontal scaling for transactional workloads.

How to eliminate wrong answers

Option A is wrong because Cloud Bigtable is a NoSQL wide-column database designed for high-throughput analytical workloads, not for transactional applications requiring strong consistency and low-latency access to a single database; its multi-region replication is asynchronous and does not guarantee strong consistency. Option B is wrong because Cloud SQL for PostgreSQL supports cross-region read replicas, but the primary database is single-region and cannot scale horizontally to handle a 10x growth; read replicas are asynchronous and do not provide strong consistency for writes, making it unsuitable for a critical application requiring consistent low-latency access. Option D is wrong because Firestore in native mode is a NoSQL document database with eventual consistency by default (unless using transactions) and does not support the strong global consistency and horizontal scaling needed for a relational database workload with 10x growth; its multi-region location provides replication but not the ACID transactional guarantees required.

323
MCQhard

An administrator creates a GKE cluster with the command above. After deployment, the cluster has 3 nodes, but the node pool autoscaler never scales up even under load. What is the most likely reason?

A.The autoscaler minimum nodes is set to 1 and maximum to 5.
B.The disk size of 100 GB is insufficient.
C.The cluster is zonal, but node locations include multiple zones.
D.The machine type e2-medium is too small for the workloads.
AnswerC

In a zonal cluster, nodes can only be in the cluster zone; node-locations is ignored.

Why this answer

Option C is correct because the node pool autoscaler in GKE cannot scale up a cluster that uses multiple zones in a single zonal cluster. The autoscaler requires that all nodes in the pool be in the same zone to properly manage capacity; when node locations span multiple zones in a zonal cluster, the autoscaler is disabled and will not trigger scaling events, even under load.

Exam trap

The trap here is that candidates often assume the autoscaler is misconfigured due to limits or resource constraints, but Cisco tests the subtle distinction that the autoscaler is disabled entirely when node locations span multiple zones in a zonal cluster.

How to eliminate wrong answers

Option A is wrong because setting minimum nodes to 1 and maximum to 5 is a valid autoscaler configuration and does not prevent scaling; it actually enables scaling within that range. Option B is wrong because a 100 GB disk size is sufficient for most workloads and disk size does not affect the autoscaler's ability to scale; the autoscaler responds to resource requests (CPU/memory), not disk capacity. Option D is wrong because the e2-medium machine type, while small, is not inherently too small for workloads; the autoscaler scales based on pending pods and resource requests, not the machine type itself, and a small machine type would actually trigger scaling if workloads exceed its capacity.

324
Multi-Selectmedium

A company is migrating to Google Cloud and needs to implement a least-privilege access model. Which THREE Google Cloud services or features support this goal? (Choose three.)

Select 3 answers
A.Cloud IAM Conditions
B.Cloud Audit Logs
C.VPC Service Controls
D.Cloud NAT
E.Organization Policy Service
AnswersA, C, E

Allow access based on attributes like time, IP, or resource type, enabling least privilege.

Why this answer

Options A, C, and D are correct. Cloud IAM Conditions enable fine-grained, attribute-based access control. VPC Service Controls restrict data exfiltration by limiting access to APIs.

Organization Policy allows setting constraints that enforce least privilege at the org level. Option B is wrong because Cloud Audit Logs are detective, not preventive. Option E is wrong because Cloud NAT is a network service for outbound connectivity, not access control.

325
MCQmedium

Your team has deployed a microservices application on Google Kubernetes Engine (GKE) with multiple services communicating via internal ClusterIP services. You notice that some requests between services are failing intermittently with 'connection refused' errors. The services are defined with readiness probes. What is the most likely cause?

A.The readiness probes are not passing, causing the service endpoints to be removed.
B.The services are not exposed via a VPC peering connection to the client's VPC.
C.The services are using NodePort instead of LoadBalancer type, causing port conflicts.
D.The services are not associated with an Ingress resource.
AnswerA

Failing readiness probes cause the pod to be removed from service endpoints, leading to connection refused.

Why this answer

The 'connection refused' error indicates that the client is attempting to connect to a port on which no process is listening. In GKE, when a readiness probe fails, Kubernetes removes the pod's IP from the corresponding ClusterIP service's endpoints. If all pods for a service fail their readiness probes, the service has no healthy endpoints, and any request to the ClusterIP will be refused because there is no backend to accept the connection.

This matches the intermittent nature of the issue, as pods may temporarily fail the probe and then recover.

Exam trap

Google Cloud often tests the distinction between readiness and liveness probes, where candidates may incorrectly assume that a failing liveness probe (which restarts the pod) is the cause of 'connection refused', but the key is that readiness probes control endpoint membership, directly causing the error when all endpoints are removed.

How to eliminate wrong answers

Option B is wrong because VPC peering is used for connectivity between separate VPC networks, not for internal service-to-service communication within the same GKE cluster; ClusterIP services are inherently reachable within the cluster without any peering. Option C is wrong because NodePort and LoadBalancer are service types for external exposure, not for internal pod-to-pod communication; port conflicts are not a typical cause of 'connection refused' errors within a cluster, and NodePort does not affect internal ClusterIP functionality. Option D is wrong because an Ingress resource is used for external HTTP/S traffic routing to services, not for internal service-to-service communication; the absence of an Ingress has no impact on direct ClusterIP-based communication between microservices.

326
MCQmedium

A startup is developing a real-time analytics dashboard that ingests data from IoT devices. The data volume is unpredictable but can spike to millions of events per second. The dashboard must display near real-time aggregations with sub-second latency. Which Google Cloud architecture should the architect recommend?

A.Ingest via Cloud IoT Core directly to Cloud Bigtable, then query with BigQuery.
B.Ingest via Cloud Pub/Sub, process with Cloud Dataproc, store in Cloud Storage, and query with BigQuery.
C.Ingest via Cloud Pub/Sub, store raw data in Cloud Storage, and use Cloud SQL for aggregations.
D.Ingest via Cloud Pub/Sub, process with Cloud Dataflow, store in Cloud Bigtable, and query from the dashboard.
AnswerD

This combination handles high ingest rates, stream processing, and low-latency queries.

Why this answer

Option D is correct because Cloud Pub/Sub provides scalable, asynchronous ingestion for unpredictable IoT data spikes, Cloud Dataflow enables stream processing for near real-time aggregations with sub-second latency, and Cloud Bigtable offers low-latency, high-throughput storage ideal for serving aggregated results directly to a dashboard. This combination meets the requirements of unpredictable volume, real-time processing, and low-latency queries.

Exam trap

The trap here is that candidates often choose batch-oriented services like BigQuery or Dataproc for real-time requirements, overlooking that Cloud Dataflow's stream processing and Cloud Bigtable's low-latency storage are specifically designed for sub-second, high-throughput dashboard use cases.

How to eliminate wrong answers

Option A is wrong because Cloud IoT Core directly to Cloud Bigtable lacks a buffering layer for unpredictable spikes, and BigQuery is not designed for sub-second query latency on real-time dashboards. Option B is wrong because Cloud Dataproc is batch-oriented and introduces higher latency for stream processing, and Cloud Storage with BigQuery adds significant query latency unsuitable for sub-second dashboard responses. Option C is wrong because Cloud SQL cannot handle millions of events per second for real-time aggregations and lacks native stream processing capabilities.

327
Multi-Selecthard

A company has a Cloud SQL for PostgreSQL instance that is experiencing high latency. They suspect a connection pooling issue. Which TWO configurations should be checked? (Choose two.)

Select 2 answers
A.Cloud SQL Auth Proxy configuration
B.max_connections database flag
C.Private IP assignment
D.Database query insights
E.Database version
AnswersA, B

Correct. The proxy handles connection pooling efficiently.

Why this answer

The Cloud SQL proxy provides secure connections and connection pooling to reduce latency. The max_connections parameter affects how many connections are allowed and can be a bottleneck. Query insights helps but is not a configuration.

Private IP vs public IP affects network path but not connection pooling per se.

328
MCQhard

A company uses a Shared VPC hosted in a common project (host project) to centralize network management. A service project team needs to create a Compute Engine instance with a specific static internal IP address from the Shared VPC subnet. What IAM permissions should be granted to the service project's Compute Engine default service account?

A.compute.networkAdmin on the host project.
B.compute.subnetworks.use on the host project subnet.
C.compute.instances.create on the service project.
D.compute.subnetworks.use and compute.addresses.use on the subnet and static IP.
AnswerD

These permissions allow using the subnet and reserving the specific IP.

Why this answer

Option B is correct: To use a specific static internal IP from a Shared VPC, the service account needs compute.subnetworks.use and compute.addresses.use on the subnet or address resource. Option A is missing compute.addresses.use. Option C grants compute.instances.create but not the necessary subnet/address permissions.

Option D is too broad and unnecessary.

329
MCQmedium

Your organization has a policy that all Compute Engine instances must have specific labels (env, team, cost-center) applied. You want to enforce this automatically when instances are created. What should you do?

A.Enable Cloud Audit Logs and set up a metric-based alert to detect instances without labels.
B.Create a Cloud Function that listens for instance creation events and adds labels automatically.
C.Assign a custom IAM role that includes permission to label instances, and remove the default compute.instances.create permission.
D.Use the Organization Policy service with a custom constraint to require labels on Compute Engine instances.
AnswerD

Organization policies can enforce label requirements at creation time.

Why this answer

Option D is correct because Organization Policy Service with a custom constraint allows you to enforce that all Compute Engine instances must have specific labels (env, team, cost-center) at creation time. This is a preventive control that blocks creation of non-compliant instances, unlike reactive or permission-based approaches. Custom constraints use the `compute.googleapis.com/instance` resource type and can require label keys or values using CEL (Common Expression Language) syntax.

Exam trap

The trap here is that candidates often choose reactive solutions (like Cloud Functions or alerts) because they seem simpler, but the exam emphasizes preventive enforcement using Organization Policy constraints for compliance-driven requirements.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs and metric-based alerts are reactive — they only detect non-compliant instances after creation, not prevent them, and do not enforce the policy automatically. Option B is wrong because a Cloud Function that listens for instance creation events and adds labels is also reactive; it can fail or be bypassed, and the instance is created without labels initially, violating the policy. Option C is wrong because removing the default `compute.instances.create` permission would prevent all instance creation, not just unlabeled ones, and a custom IAM role cannot enforce label requirements at creation time — it only controls who can create instances, not what labels they must include.

330
Multi-Selecthard

Which THREE components are required to set up a private connection between an on-premises network and a VPC using Cloud VPN? (Choose three.)

Select 3 answers
A.Peer VPN gateway (on-premises).
B.Two VPN tunnels (for redundancy).
C.Cloud VPN gateway.
D.VPC Network Peering.
E.Cloud Router.
AnswersA, B, C

Required to terminate VPN on-premises.

Why this answer

Option A is correct because a Peer VPN gateway represents the on-premises VPN device that terminates the IPsec tunnel from the Cloud VPN gateway. This is a required component to establish the encrypted tunnel between your on-premises network and the VPC, as it defines the public IP address and configuration of the remote endpoint.

Exam trap

Google Cloud often tests the misconception that Cloud Router is always required for Cloud VPN, but it is only needed for dynamic BGP routing; for static routes, Cloud Router is not a mandatory component.

331
MCQmedium

Refer to the exhibit. This is an IAM policy for a BigQuery dataset. What does the policy allow?

A.Alice to view data and analysts to run jobs.
B.Alice and analysts to run jobs.
C.Alice to run jobs and analysts to view data.
D.Alice and analysts to view data.
AnswerA

dataViewer allows viewing, jobUser allows running jobs.

Why this answer

The policy grants the `roles/bigquery.dataViewer` role to Alice, which allows her to view dataset metadata and query data, and the `roles/bigquery.jobUser` role to analysts, which allows them to run jobs (queries, load, export) but not view data directly. This combination matches option A.

Exam trap

Google Cloud often tests the distinction between data viewing and job execution permissions in BigQuery, trapping candidates who assume that running a job automatically includes the ability to see the data.

How to eliminate wrong answers

Option B is wrong because Alice is assigned `roles/bigquery.dataViewer`, not `roles/bigquery.jobUser`, so she cannot run jobs; only analysts have the jobUser role. Option C is wrong because it reverses the permissions: Alice can view data (not run jobs) and analysts can run jobs (not view data). Option D is wrong because analysts are granted `roles/bigquery.jobUser`, which does not include data viewing permissions; only Alice has data viewing access.

332
MCQmedium

A developer ran the command `gcloud compute instances describe instance-1 --zone us-central1-a` and received the above output. They want to create another instance with the same configuration, except with a different external IP. Which action should they take?

A.Reserve a new static external IP address and assign it to the new instance.
B.Create a new instance without specifying a static IP, so it receives an ephemeral IP.
C.Use the same static IP address by releasing and reassigning it.
D.None of the above.
AnswerB

Ephemeral IPs are different from the static IP shown.

Why this answer

The `gcloud compute instances describe` output shows the instance has an external IP that is ephemeral (not reserved). To create a new instance with the same configuration but a different external IP, the simplest approach is to create a new instance without specifying a static IP, which will automatically assign a new ephemeral IP. This avoids the overhead of reserving and managing a static IP when only a temporary, different address is needed.

Exam trap

Google Cloud often tests the distinction between ephemeral and static IPs, and the trap here is that candidates assume any external IP must be static, leading them to unnecessarily reserve a new static IP instead of simply creating an instance without specifying one.

How to eliminate wrong answers

Option A is wrong because reserving a new static external IP and assigning it would give the instance a permanent, unchanging IP, which is unnecessary and incurs additional cost if the IP is not used; the goal is simply a different IP, not a static one. Option C is wrong because releasing and reassigning the same static IP would result in the same IP address, not a different one, and the describe output shows the current IP is ephemeral, not static. Option D is wrong because option B provides a valid and correct action.

333
MCQeasy

A developer wants to automate the creation of a Google Cloud project with a specific VPC and firewall rules. Which tool should they use?

A.Cloud Shell
B.Cloud Console
C.Deployment Manager
D.Cloud SDK
AnswerC

Deployment Manager is Google Cloud's infrastructure as code service.

Why this answer

Deployment Manager is the correct tool because it allows you to define and manage Google Cloud resources, including projects, VPCs, and firewall rules, using declarative templates (YAML, Python, or Jinja2). This enables infrastructure-as-code (IaC) automation, which is essential for repeatable and version-controlled project creation. Unlike interactive tools, Deployment Manager handles the entire lifecycle of resources, including dependencies and updates, without manual intervention.

Exam trap

Google Cloud often tests the distinction between interactive tools (Cloud Shell, Cloud Console) and automation tools (Deployment Manager, Cloud SDK), but the trap here is that candidates confuse Cloud SDK (a set of command-line tools) with an automation framework, whereas Deployment Manager is the only option that provides declarative, template-based automation for complex multi-resource deployments.

How to eliminate wrong answers

Option A is wrong because Cloud Shell is an interactive command-line environment that provides temporary access to Cloud SDK tools, but it does not itself automate resource creation; it is merely a terminal for running commands manually. Option B is wrong because Cloud Console is a web-based GUI for manually managing resources, which is not suitable for automation and cannot be used in scripts or CI/CD pipelines. Option D is wrong because Cloud SDK is a set of command-line tools (like gcloud) that can be used to create resources individually, but it requires imperative scripting and does not provide declarative, repeatable infrastructure-as-code templates like Deployment Manager does.

334
Drag & Dropmedium

Drag and drop the steps to set up a shared VPC in Google Cloud for a multi-project environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The host project holds the VPC network. Service projects use the subnets. IAM roles control who can use the subnets.

335
MCQhard

A large e-commerce company runs a multi-tier application on Google Cloud. The frontend is served by a global HTTP Load Balancer with a backend service pointing to a managed instance group (MIG) of nginx web servers. The application tier consists of a regional internal TCP/UDP load balancer distributing traffic to a MIG of Java application servers. The database tier uses Cloud SQL for PostgreSQL in a failover replica configuration. The architecture is deployed in the us-central1 region across three zones. Recently, the operations team noticed intermittent 502 Bad Gateway errors from the frontend load balancer during peak traffic hours. The errors last for a few minutes and then recover. The team suspects the application tier is overwhelmed. They need to implement a solution that can handle traffic spikes without manual intervention. Which course of action should they take?

A.Increase the maximum number of instances in the application tier MIG from 10 to 20.
B.Enable Cloud Armor on the frontend load balancer with a rate-limiting rule to block excessive traffic.
C.Configure HTTP health checks on the regional internal load balancer and set the autoscaler to use the 'HTTP load balancing utilization' metric for the application tier MIG.
D.Enable Cloud CDN on the frontend load balancer to cache static assets and reduce load on the application tier.
AnswerC

Health checks ensure the load balancer only sends traffic to healthy instances, and autoscaling based on load balancing utilization will automatically adjust capacity.

Why this answer

Option C is correct because the intermittent 502 errors during peak traffic indicate that the application tier MIG is being overwhelmed. By configuring HTTP health checks on the regional internal load balancer and setting the autoscaler to use the 'HTTP load balancing utilization' metric, the autoscaler can scale the application tier MIG based on the actual load distribution from the internal load balancer, ensuring it handles traffic spikes without manual intervention. This directly addresses the root cause—insufficient application instances—by enabling dynamic scaling based on real-time utilization.

Exam trap

The trap here is that candidates often confuse frontend load balancer errors with frontend capacity issues and choose CDN or rate-limiting, but the 502 Bad Gateway error specifically indicates the backend (application tier) is failing to respond, so the solution must scale the application tier itself.

How to eliminate wrong answers

Option A is wrong because simply increasing the maximum number of instances from 10 to 20 does not enable autoscaling; the MIG would still need a scaling policy to trigger new instances during spikes, and without a metric-based autoscaler, the instances would not be created automatically. Option B is wrong because enabling Cloud Armor with rate-limiting would block excessive traffic at the frontend, but the 502 errors originate from the backend (application tier) being overwhelmed, not from the frontend; rate-limiting would reject legitimate traffic and degrade user experience without solving the capacity issue. Option D is wrong because enabling Cloud CDN caches static assets at the edge, which reduces load on the frontend web servers but does not address the application tier's inability to handle dynamic request spikes; the 502 errors are likely from the application tier timing out, not from static asset serving.

336
MCQeasy

A company is migrating to Google Cloud and needs to connect their on-premises network to a VPC. They require high bandwidth and a reliable connection with a Service Level Agreement (SLA). Which solution should they choose?

A.Cloud VPN with dynamic routing
B.Dedicated Interconnect
C.Partner Interconnect via a service provider
D.Direct Peering
AnswerB

Dedicated Interconnect offers high bandwidth and an SLA.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between your on-premises network and Google's network, offering high bandwidth (10 or 100 Gbps per link) and a 99.99% uptime SLA when configured with redundant links. This meets the requirements for high bandwidth and a reliable, SLA-backed connection better than any other option.

Exam trap

The trap here is that candidates often confuse Partner Interconnect with Dedicated Interconnect, assuming any 'Interconnect' offers an SLA, but only Dedicated Interconnect provides a direct physical link with a 99.99% SLA, while Partner Interconnect's SLA depends on the partner's network and is typically lower.

How to eliminate wrong answers

Option A is wrong because Cloud VPN uses the public internet with IPsec tunnels, offering no SLA and limited bandwidth (typically up to 3 Gbps per tunnel), making it unsuitable for high-bandwidth, SLA-backed requirements. Option C is wrong because Partner Interconnect relies on a third-party service provider's network, which may introduce additional latency and does not provide the same direct, dedicated SLA as Dedicated Interconnect; it is designed for cases where a direct physical connection is not feasible. Option D is wrong because Direct Peering is a non-SLA, best-effort connection established via public exchange points, intended for traffic exchange with Google services, not for dedicated, SLA-backed connectivity to a VPC.

337
Matchingmedium

Match each GCP storage service to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Object storage for unstructured data

Managed NFS file server

Block storage for VM instances

NoSQL database for large analytical workloads

Globally distributed relational database

Why these pairings

These are primary storage options in GCP.

338
Multi-Selecteasy

Which TWO methods can be used to restrict inbound traffic to a Compute Engine instance to only specific IP addresses without relying on instance-level firewall rules? (Choose 2)

Select 2 answers
A.Use VPC Service Controls
B.Configure Cloud Armor policies
C.Create firewall rules in the VPC network
D.Assign a service account to the instance
E.Use Identity-Aware Proxy (IAP) for TCP forwarding
AnswersC, E

Firewall rules can restrict inbound traffic based on source IP ranges.

Why this answer

Option C is correct because VPC firewall rules operate at the network level, not the instance level, and can be configured to allow inbound traffic only from specific source IP ranges (e.g., using the 'sourceRanges' field). These rules are applied to all instances in the VPC or subnet, independent of any instance-level configuration, making them a valid method to restrict traffic without relying on instance-level firewall rules.

Exam trap

Google Cloud often tests the distinction between network-level controls (VPC firewall rules) and instance-level controls (like guest OS firewalls), and candidates may incorrectly think that service accounts or VPC Service Controls can filter inbound IP traffic.

339
Multi-Selectmedium

A company needs to ensure that only approved machine images can be used to create Compute Engine instances to meet security compliance. Which two methods should they use? (Choose two.)

Select 2 answers
A.Use VPC Service Controls to prevent creation from unauthorized images
B.Use a custom role with permissions restricted to specific image families
C.Use Cloud Asset Inventory to detect non-compliant images and trigger remediation
D.Use IAM conditions on compute.instances.create to require a specific family label
E.Use Organization Policy constraint compute.trustedImageProjects
AnswersB, E

Custom roles can limit which images a user can use by granting permissions on specific image projects.

Why this answer

The organization policy constraint compute.trustedImageProjects restricts allowed image projects. Creating a custom role with permissions limited to specific image projects also works. IAM conditions on instance creation are not effective; VPC Service Controls don't apply to images; detection alone is not prevention.

340
MCQmedium

The exhibit shows a Cloud Storage bucket IAM policy. A developer (admin@example.com) wants to upload a file to the bucket but gets a permission denied error. What is the most likely reason?

A.An organization policy denies all write operations
B.The developer is not a member of the project
C.The service account my-sa overrides the developer's permissions
D.The developer is assigned only the objectViewer role
AnswerD

objectViewer cannot write.

Why this answer

Option C is correct because the developer only has roles/storage.objectViewer (read-only), not write access. Option A is wrong because there is no explicit deny. Option B is wrong because the service account has admin, but that doesn't affect the user.

Option D is wrong because the user is included.

341
Multi-Selectmedium

A company is designing a disaster recovery plan for a critical application running on Compute Engine with a regional persistent disk. They want to minimize recovery time objective (RTO) and recovery point objective (RPO). Which TWO strategies should they implement? (Choose two.)

Select 2 answers
A.Use snapshot replication to a secondary region.
B.Take manual snapshots after a failure occurs.
C.Create an instance template in the same region.
D.Store backups in Cloud Storage with a lifecycle policy.
E.Create a custom image of the boot disk and copy it to another region.
AnswersA, E

Snapshots can be replicated to another region for quick restore.

Why this answer

Option A is correct because snapshot replication to a secondary region allows you to create and store disk snapshots in a different region, enabling rapid recovery of the application in that secondary region. This minimizes RTO by having the snapshots readily available for creating new disks and instances, and minimizes RPO by scheduling frequent, automated snapshots that capture incremental changes, ensuring data loss is limited to the snapshot interval.

Exam trap

Google Cloud often tests the distinction between regional persistent disks (which are synchronous within a region) and cross-region disaster recovery strategies, leading candidates to mistakenly think that a regional persistent disk alone provides cross-region redundancy, when in fact you must explicitly replicate snapshots or images to another region.

342
MCQmedium

The exhibit shows a Cloud Storage bucket configuration. What does this configuration ensure?

A.Older versions of objects are automatically transferred to a different storage class.
B.Data is replicated to another region for disaster recovery.
C.Objects can only be permanently deleted after the retention period expires.
D.Objects older than 30 days will be automatically deleted.
AnswerC

A locked retention policy prevents permanent deletion before the retention period ends. Versioning retains noncurrent versions.

Why this answer

The exhibit shows a bucket configured with a retention policy. When a retention policy is set on a Cloud Storage bucket, objects cannot be deleted or overwritten until the retention period expires. This ensures that objects can only be permanently deleted after the retention period ends, which is exactly what option C describes.

Exam trap

The trap here is that candidates confuse retention policies with lifecycle management rules, mistakenly thinking retention policies automatically delete or transition objects, when in fact they only prevent deletion until the retention period expires.

How to eliminate wrong answers

Option A is wrong because retention policies do not automatically transfer objects to a different storage class; that is the function of lifecycle management rules, not retention policies. Option B is wrong because retention policies do not replicate data to another region; replication is configured separately using object replication or dual-region buckets. Option D is wrong because retention policies do not automatically delete objects after a period; they prevent deletion until the retention period expires, and automatic deletion is achieved via lifecycle rules with a Delete action.

343
MCQeasy

A developer needs to pass a startup script to a Compute Engine instance during creation. Which method should be used to ensure the script runs on first boot?

A.Use gcloud compute instances create with --metadata=startup-script=...
B.Create a custom image with the script baked in.
C.Use gcloud compute instances add-metadata after creating the instance.
D.Use gcloud compute instances create with --startup-script flag.
AnswerA

This passes the startup script as instance metadata, which runs on first boot.

Why this answer

The `--metadata=startup-script=...` flag on `gcloud compute instances create` passes the script as instance metadata. Compute Engine automatically executes the value of the `startup-script` metadata key on every boot, including the first boot. This is the standard, documented method for providing a startup script at instance creation time.

Exam trap

The trap here is that candidates confuse the nonexistent `--startup-script` flag with the correct `--metadata=startup-script=...` syntax, or assume that adding metadata after creation will trigger the script on the first boot.

How to eliminate wrong answers

Option B is wrong because baking the script into a custom image makes it part of the image itself, not a dynamically assigned startup script; it would run on every boot of instances created from that image, but the question specifically asks for a method to pass the script during creation, not to embed it in the image. Option C is wrong because `gcloud compute instances add-metadata` modifies metadata on an already-running instance; the script would only run on the next boot, not on the first boot (which has already occurred). Option D is wrong because `gcloud compute instances create` does not support a `--startup-script` flag; the correct flag is `--metadata=startup-script=...`.

344
MCQeasy

A small company wants to store sensitive files in Cloud Storage and ensure they are encrypted with a key that they control and rotate automatically every 90 days. They are currently using the default encryption provided by Google Cloud. They need a solution that is easy to manage and does not require manual key rotation. What should they do?

A.Use Cloud HSM to generate a key and handle encryption outside of Cloud Storage.
B.Create a Cloud KMS key ring and key with CMEK, set a rotation period of 90 days, and configure the bucket to use that key.
C.Use Customer-Supplied Encryption Keys (CSEK) and write a script to rotate the key every 90 days.
D.Continue using default encryption as it is automatically rotated by Google.
AnswerB

CMEK with automatic rotation meets the requirement of customer-controlled keys with no manual effort.

Why this answer

Option B is correct because Customer-Managed Encryption Keys (CMEK) in Cloud KMS support automatic rotation with a specified rotation period (e.g., 90 days). Option A is wrong because CSEK requires manual key management and rotation. Option C is wrong because default encryption uses Google-managed keys, not customer-controlled.

Option D is wrong because Cloud HSM provides hardware-backed keys but still requires CMEK configuration; automatic rotation is possible with CMEK regardless of HSM.

345
MCQmedium

A company deploys a microservices application on Google Kubernetes Engine (GKE). Pods in one deployment are frequently OOMKilled. The team sets memory requests and limits, but pods still crash. What is the most likely remaining cause?

A.CPU requests are too low, causing throttling and eventual crash.
B.The node pool is too small, causing memory pressure on the node.
C.Memory limits are set higher than the node's allocatable memory.
D.The application has a memory leak that eventually exceeds the limit.
AnswerD

A memory leak causes continuous memory growth until the limit is hit, resulting in OOMKill.

Why this answer

Option D is correct because OOMKilled errors occur when a container exceeds its memory limit. Setting memory requests and limits prevents unbounded usage, but if the application has a memory leak, it will continue to consume memory until it hits the configured limit, causing the kernel's Out-Of-Memory (OOM) killer to terminate the pod. The fact that pods still crash after setting limits indicates the application itself is the root cause, not resource configuration.

Exam trap

The trap here is that candidates confuse OOMKilled (per-container limit) with node-pressure eviction (node-level memory), or assume that setting requests/limits automatically fixes all memory issues, ignoring application-level bugs like memory leaks.

How to eliminate wrong answers

Option A is wrong because CPU throttling does not cause OOMKilled; CPU limits throttle performance but do not trigger the OOM killer, which is specific to memory exhaustion. Option B is wrong because node-level memory pressure would cause pods to be evicted (not OOMKilled) or the node to become NotReady, but the question states pods are OOMKilled, which is a per-container limit violation, not a node-level issue. Option C is wrong because setting memory limits higher than the node's allocatable memory would prevent the pod from being scheduled (pending state), not cause it to run and then be OOMKilled.

346
Multi-Selectmedium

Which TWO actions should you take to improve the reliability of a stateful application deployed on Compute Engine with regional persistent disks?

Select 2 answers
A.Use a regional persistent disk to replicate data across two zones.
B.Deploy the application across multiple zones in a managed instance group with autohealing.
C.Use preemptible VMs to reduce costs.
D.Place an HTTP(S) load balancer in front of the application.
E.Schedule regular snapshots of the persistent disk to Cloud Storage.
AnswersA, B

Regional persistent disks replicate data synchronously across zones, protecting against zone failure.

Why this answer

Option A is correct because regional persistent disks (RPDs) synchronously replicate data between two zones within a region, ensuring that if one zone fails, the data remains available in the other zone without data loss. This directly improves the reliability of a stateful application by providing a durable, zone-failure-tolerant storage layer that maintains data consistency across zones.

Exam trap

Google Cloud often tests the distinction between data durability (synchronous replication) and data backup (asynchronous snapshots), and candidates mistakenly choose scheduled snapshots (Option E) thinking they improve reliability, when in fact they only provide disaster recovery with a non-zero RPO.

347
MCQmedium

A company is deploying a critical application on Compute Engine with an HTTP load balancer. They want to ensure that if an instance health check fails, traffic is automatically rerouted to healthy instances. Which configuration should they implement?

A.Use an HTTP(S) load balancer with a backend service configured with a health check and enable connection draining.
B.Use an internal load balancer with a backend service configured with a health check.
C.Use a network load balancer with a health check configured on the target pool.
D.Use an HTTP(S) load balancer with a backend service configured with a health check and enable session affinity.
E.Use a TCP proxy load balancer with a backend service configured with a health check.
AnswerA

HTTP(S) LB with health checks automatically reroutes traffic; connection draining adds graceful shutdown.

Why this answer

Option A is correct because an HTTP(S) load balancer with a backend service configured with a health check automatically monitors instance health and reroutes traffic away from unhealthy instances. Enabling connection draining ensures that in-flight requests to an unhealthy instance are given time to complete before the instance is removed from the load balancing pool, preventing disruption to active sessions.

Exam trap

Google Cloud often tests the distinction between connection draining and session affinity, where candidates mistakenly think session affinity is needed for failover, but in reality session affinity prevents rerouting and should be avoided for high-availability scenarios.

How to eliminate wrong answers

Option B is wrong because an internal load balancer is used for private traffic within a VPC and does not handle external HTTP(S) traffic, nor does it provide the automatic rerouting required for a public-facing critical application. Option C is wrong because a network load balancer (TCP/UDP) operates at layer 4 and does not support HTTP(S) health checks or connection draining; it forwards traffic based on IP and port, not application-level health. Option D is wrong because session affinity (sticky sessions) pins a client to a specific instance, which would prevent traffic from being rerouted away from an unhealthy instance, defeating the purpose of health-check-based failover.

Option E is wrong because a TCP proxy load balancer terminates TCP connections and forwards traffic at layer 4, lacking HTTP(S)-specific health checks and the ability to reroute based on application-level health status.

348
MCQmedium

An organization has two Google Cloud projects: Project A hosts a Compute Engine instance with a MySQL database, and Project B hosts an application that needs to connect to the database. The network team set up VPC peering between the two VPCs. The application cannot connect to the database on port 3306. The database instance has a private IP. The network team has verified that firewall rules in both VPCs allow traffic from Project B's subnets to the database IP on port 3306. Ping from the application instance to the database IP succeeds. What should the architect do to resolve the connectivity issue?

A.Ensure that the VPC peering is established and that the subnet ranges do not overlap.
B.Configure Cloud NAT in Project B to enable outbound connections.
C.Configure custom routes export on the VPC peering connection in the database project (Project A).
D.Set up a Cloud VPN tunnel between the two projects instead.
AnswerC

Correct: Custom routes may need to be exported so that the database's subnet route is visible to the peered VPC. This allows the application to connect on the correct port.

Why this answer

Option C is correct because VPC peering does not automatically exchange custom static routes unless route export is explicitly configured. Since the database in Project A has a private IP, the application in Project B needs a route to that IP via the peering connection. By enabling custom routes export on the peering connection in Project A, the route to the database subnet is advertised to Project B, allowing the application to reach the database on port 3306.

Exam trap

The trap here is that candidates assume VPC peering automatically exchanges all routes, but Google Cloud requires explicit export of custom routes, and the ping success misleads them into thinking routing is fully functional when only ICMP may be using a different path.

How to eliminate wrong answers

Option A is wrong because the network team has already verified that VPC peering is established and subnet ranges do not overlap (otherwise ping would fail). Option B is wrong because Cloud NAT is used for outbound internet access from instances without public IPs, not for private VPC peering connectivity; the application needs a route to the database's private IP, not internet egress. Option D is wrong because Cloud VPN is unnecessary and adds complexity; VPC peering is the correct mechanism for private connectivity between projects, and the issue is simply missing route export, not a fundamental connectivity problem.

349
Multi-Selecthard

A company is planning a hybrid cloud architecture using Anthos to manage workloads across on-premises data centers and Google Cloud. They need to select two key components that enable consistent configuration, policy, and security across environments. Which two should they choose?

Select 2 answers
A.Cloud Interconnect
B.GKE on-prem
C.Cloud Build
D.Config Sync
E.Cloud Load Balancing
AnswersB, D

GKE on-prem enables running Kubernetes clusters on-premises with the same API and tooling as GKE, enabling consistent workload management.

Why this answer

GKE on-prem (now Anthos clusters on bare metal or VMware) is correct because it provides a consistent Kubernetes platform that runs on-premises, enabling the same container orchestration, policy enforcement, and security controls as GKE in Google Cloud. Config Sync is correct because it continuously reconciles the desired state of cluster configurations from a Git repository, ensuring that policies, RBAC, and security settings remain identical across all Anthos clusters, whether on-prem or in the cloud.

Exam trap

The trap here is that candidates often confuse connectivity services (Cloud Interconnect) or traffic management (Cloud Load Balancing) with configuration and policy consistency, failing to recognize that Anthos relies on GitOps-based tools like Config Sync and the on-prem Kubernetes runtime (GKE on-prem) to achieve unified management.

350
MCQeasy

Refer to the exhibit. What is the primary benefit of the `--preemptible` flag in this command?

A.Significant cost reduction compared to standard instances.
B.Faster instance startup time due to optimized kernel.
C.Higher availability through automatic restart on failure.
D.Access to specialized hardware like GPUs at no extra cost.
AnswerA

Preemptible VMs cost about 60-90% less than standard VMs.

Why this answer

The `--preemptible` flag in Google Cloud Platform (GCP) creates preemptible VM instances, which are short-lived, cost-effective instances that can be terminated at any time by GCP. The primary benefit is a significant cost reduction—up to 60-91% lower than standard instances—making them ideal for batch jobs, fault-tolerant workloads, and non-critical tasks. This flag does not affect startup time, availability guarantees, or provide free access to specialized hardware.

Exam trap

Google Cloud often tests the misconception that `--preemptible` provides high availability or automatic restarts, when in reality it sacrifices availability for cost savings, and candidates may confuse it with managed instance groups or autohealing features.

How to eliminate wrong answers

Option B is wrong because the `--preemptible` flag does not optimize the kernel or affect instance startup time; startup time depends on the image and machine type, not the preemptible nature. Option C is wrong because preemptible instances have no automatic restart on failure—they are terminated after 24 hours or when capacity is needed, and they do not offer higher availability; in fact, they have lower availability than standard instances. Option D is wrong because preemptible instances do not provide access to specialized hardware like GPUs at no extra cost; GPUs are still billed separately, and preemptible instances with GPUs are subject to the same preemption risks and cost structure.

351
MCQmedium

An organization is implementing a data loss prevention (DLP) strategy for Cloud Storage. They want to automatically scan new objects uploaded to a specific bucket and redact sensitive data. Which service and configuration should they use?

A.Configure Cloud Armor with a WAF rule to inspect and redact data as it enters the bucket.
B.Enable Security Command Center (SCC) premium tier and configure it to scan the bucket for sensitive data.
C.Use Cloud DLP with a BigQuery external table to scan the bucket contents periodically.
D.Use Cloud Functions triggered by Cloud Storage events to call Cloud DLP API for each new object, and then store the redacted version.
AnswerD

Cloud Functions can process events from Cloud Storage and apply DLP transformations.

Why this answer

Option C is correct because Cloud DLP can be triggered by Cloud Functions when a Cloud Storage event occurs (e.g., object finalize), and the function can send the object to DLP for inspection and redaction. Option A is wrong because BigQuery is for structured data, not storage. Option B is wrong because SCC provides security posture management, not DLP scanning.

Option D is wrong because there is no Cloud Armor for storage.

352
MCQmedium

A company uses Cloud Interconnect to connect on-premises network to GCP. They want to ensure that if one interconnect link fails, traffic is automatically rerouted to another link. Which configuration should they implement?

A.Configure BGP sessions with equal-cost multi-path (ECMP) over multiple interconnect links.
B.Use a VPN as backup for the interconnect.
C.Use a single VLAN attachment with multiple interconnect links.
D.Create a second interconnect in a different metro and use BGP with MED.
E.Use multiple VLAN attachments with the same interconnect.
AnswerD

Two interconnects in different metro areas with BGP MED provide automatic failover.

Why this answer

Option D is correct because using a second interconnect in a different metro with BGP MED (Multi-Exit Discriminator) allows you to influence inbound traffic path selection and provides true geographic redundancy. If one interconnect link fails, BGP withdraws the routes, and traffic automatically fails over to the remaining interconnect via the alternate path, ensuring high availability without relying on a single point of failure.

Exam trap

The trap here is that candidates often confuse link-level redundancy (e.g., ECMP or multiple VLAN attachments on the same interconnect) with true geographic redundancy, failing to recognize that a single interconnect location is a single point of failure regardless of how many links or VLANs are used.

How to eliminate wrong answers

Option A is wrong because ECMP over multiple interconnect links requires all links to be active and does not provide automatic rerouting if a link fails; BGP would still need to withdraw routes, and ECMP alone does not handle failover. Option B is wrong because using a VPN as a backup introduces a different technology with lower bandwidth and higher latency, and it is not the recommended configuration for automatic rerouting over dedicated interconnect links. Option C is wrong because a single VLAN attachment cannot span multiple interconnect links; VLAN attachments are tied to a specific interconnect, so this configuration does not provide link-level redundancy.

Option E is wrong because multiple VLAN attachments on the same interconnect do not protect against the failure of that single interconnect; they only provide logical separation, not physical link redundancy.

353
MCQeasy

A company is migrating a monolithic application to Google Cloud. They want to minimize changes to the application code while taking advantage of Cloud Run for serverless containers. Which approach should they take?

A.Deploy the application to App Engine standard environment with automatic scaling.
B.Lift and shift the application to Compute Engine instances behind a load balancer.
C.Refactor the application into microservices and deploy each as a separate Cloud Run service.
D.Use Cloud Run by packaging the existing application as a container and listening on a web server.
AnswerD

Minimal changes: containerize the existing app with a web server wrapper.

Why this answer

Option D is correct because Cloud Run can run any containerized application that listens on HTTP requests on port 8080. By packaging the existing monolithic application as a container and adding a lightweight web server (e.g., Express, Flask, or Nginx), the company can deploy it to Cloud Run with minimal code changes, leveraging serverless scaling and pay-per-use pricing without refactoring into microservices.

Exam trap

Google Cloud often tests the misconception that serverless containers require microservices architecture, but Cloud Run can run any containerized application, including a monolithic one, as long as it listens for HTTP requests.

How to eliminate wrong answers

Option A is wrong because App Engine standard environment requires the application to conform to specific runtime constraints (e.g., Java Servlet, Python WSGI) and does not support arbitrary containers, so it would likely require significant code changes. Option B is wrong because lifting and shifting to Compute Engine instances behind a load balancer does not minimize changes but also fails to take advantage of serverless containers, requiring manual management of VMs, scaling, and patching. Option C is wrong because refactoring the monolithic application into microservices is a major architectural change that contradicts the requirement to minimize changes to the application code.

354
MCQeasy

Your company runs an e-commerce platform on Google Cloud. The application is deployed on Compute Engine instances in a managed instance group (MIG) with autoscaling based on CPU utilization. The database uses Cloud SQL for MySQL with a single instance. During a recent flash sale, traffic spiked and the application became slow, resulting in a poor user experience. After analyzing the incident, you discovered that the MIG scaled up but the Cloud SQL instance reached its maximum connections limit, causing some requests to fail. You need to recommend a solution to improve the reliability of the application for future traffic spikes. What should you do?

A.Increase the maximum connections setting on the Cloud SQL instance and also increase the instance's tier to handle more concurrent connections.
B.Migrate the database to Cloud Spanner to provide unlimited scalability and automatic sharding.
C.Implement a connection pooling library in the application code to reuse database connections and reduce the number of new connections.
D.Deploy the Cloud SQL Proxy on each Compute Engine instance to manage database connections more efficiently, and configure a connection pool size that matches the maximum connections of the Cloud SQL instance.
AnswerD

Option B reduces the number of open connections and efficiently distributes them.

Why this answer

Option D is correct because deploying the Cloud SQL Proxy on each Compute Engine instance provides a secure, efficient way to manage database connections. The proxy can be configured with a connection pool size that matches the Cloud SQL instance's maximum connections, preventing the application from exhausting the database's connection limit. This approach also reduces the overhead of establishing new connections and improves connection reuse, directly addressing the bottleneck during traffic spikes.

Exam trap

The trap here is that candidates often assume increasing the database tier or max_connections is the simplest fix, but the PCA exam tests the understanding that connection pooling with a proxy is a more scalable and cost-effective reliability pattern, especially when combined with autoscaling compute instances.

How to eliminate wrong answers

Option A is wrong because simply increasing the maximum connections and tier on Cloud SQL does not address the root cause of connection exhaustion; it only delays the problem and increases cost without improving connection management efficiency. Option B is wrong because migrating to Cloud Spanner is an over-engineered solution for a MySQL-based application; it introduces significant complexity, cost, and potential application rewrites, and is not necessary for handling connection limits. Option C is wrong because implementing a connection pooling library in the application code alone does not prevent the application from opening too many connections if the pool size is not properly configured; it also does not provide the secure, managed connection handling that Cloud SQL Proxy offers, and the application may still exceed the database's connection limit without a centralized proxy.

355
Multi-Selectmedium

A company is designing a disaster recovery plan for their Cloud SQL for PostgreSQL instance. They want to ensure that the database can be recovered in another region within minutes with minimal data loss. Which three actions should they take? (Choose three.)

Select 3 answers
A.Enable point-in-time recovery
B.Regularly test the failover procedure
C.Configure a failover replica in a different zone within the same region
D.Enable cross-region replication using Cloud SQL's replica feature
E.Enable automated backups with a retention period of 30 days
AnswersA, B, D

Allows recovery to a specific point in time, minimizing data loss.

Why this answer

Enabling point-in-time recovery (PITR) for Cloud SQL for PostgreSQL is correct because it allows you to restore the database to any specific point in time within the backup retention period, minimizing data loss to within seconds. PITR relies on write-ahead logs (WAL) archived continuously, which are essential for recovering to a precise timestamp in a disaster scenario. This directly supports the requirement of minimal data loss during cross-region recovery.

Exam trap

The trap here is that candidates often confuse zonal high availability (a failover replica in a different zone) with cross-region disaster recovery, mistakenly thinking a zonal replica satisfies the 'another region' requirement.

356
MCQeasy

A company wants to store customer transaction logs for 7 years for compliance. The logs are accessed rarely but must be retrievable within 24 hours. Which storage option is most cost-effective?

A.Cloud Storage Archive class
B.Cloud Storage Nearline class
C.Cloud Storage Coldline class
D.Cloud Storage Standard class
AnswerA

Archive class offers lowest cost for long-term storage with retrieval within 24 hours.

Why this answer

Cloud Storage Archive class is the most cost-effective option for data that is accessed rarely and requires retrieval within 24 hours. Archive class offers the lowest storage cost among Google Cloud Storage classes, with a default retrieval time of 12 hours, which comfortably meets the 24-hour requirement. This makes it ideal for long-term compliance retention of transaction logs that are infrequently accessed.

Exam trap

Google Cloud often tests the misconception that Coldline is the cheapest storage class, but Archive class actually has the lowest storage cost, with retrieval times up to 24 hours, making it the correct choice for rarely accessed data with flexible retrieval requirements.

How to eliminate wrong answers

Option B (Cloud Storage Nearline class) is wrong because it is designed for data accessed less than once a month, with a 30-day minimum storage duration, and its storage cost is higher than Archive, making it less cost-effective for 7-year retention. Option C (Cloud Storage Coldline class) is wrong because it targets data accessed less than once a quarter, with a 90-day minimum storage duration, and its storage cost is higher than Archive, so it is not the most cost-effective for rarely accessed logs. Option D (Cloud Storage Standard class) is wrong because it is optimized for frequently accessed data with no minimum storage duration and has the highest storage cost, making it prohibitively expensive for long-term archival of rarely accessed logs.

357
MCQhard

A company is migrating a critical on-premises application to Google Cloud. The application consists of a frontend web server that handles user requests and a backend database server that stores session state and processed data. The application is stateful because session data is stored in memory on the backend server. The company wants to minimize downtime during migration and ensure that the application can scale horizontally in the future. The current on-premises architecture has the web server and database server on separate physical machines. The web server communicates with the database server via a private network. The company expects that after migration, the application will need to handle double the current traffic. They also need to ensure that the architecture is resilient to zone failures within a single region. They are considering using Compute Engine for both the web and database servers, but they are open to other Google Cloud services. They have a requirement that the database must be relational and support ACID transactions. The database currently uses Microsoft SQL Server, but they are willing to migrate to a different database engine if it reduces operational overhead and provides better scalability. The team has limited experience with Google Cloud and wants to minimize architectural changes. Which course of action should the company take?

A.Refactor the application to be stateless. Migrate the web server to App Engine and the database to Cloud SQL for PostgreSQL. Use Cloud Memorystore for session state.
B.Migrate the web server to Compute Engine and the database to Cloud Spanner. Use a global load balancer for the web server and Spanner for transactional consistency.
C.Migrate the web server to Compute Engine with a managed instance group and internal load balancer. Migrate the database to Cloud SQL for SQL Server with high availability across zones.
D.Lift and shift both web and database servers to Compute Engine. Use a managed instance group with autoscaling for the web server and a standalone VM for the database. Configure persistent disks for data.
AnswerC

Minimizes changes, provides HA, scaling, and managed database.

Why this answer

Option C is correct because it preserves the existing stateful architecture by using Compute Engine with a managed instance group and internal load balancer for the web tier, and Cloud SQL for SQL Server with cross-zone high availability for the database. This minimizes architectural changes, supports horizontal scaling via the managed instance group, and provides zone-level resilience for the relational database with ACID transactions, meeting the requirement to handle double traffic while minimizing downtime.

Exam trap

The trap here is that candidates often choose a lift-and-shift option (D) thinking it minimizes changes, but they overlook the requirement for zone-level resilience, which a standalone VM cannot provide, or they incorrectly assume that Cloud Spanner (B) is the only option for ACID transactions at scale, ignoring that Cloud SQL for SQL Server meets the need with less complexity and no database engine migration.

How to eliminate wrong answers

Option A is wrong because refactoring the application to be stateless and using App Engine introduces significant architectural changes that the team wants to avoid, and Cloud Memorystore for session state adds complexity without addressing the requirement for a relational database with ACID transactions (Cloud SQL for PostgreSQL is relational, but the shift from SQL Server to PostgreSQL still requires migration effort). Option B is wrong because Cloud Spanner is a globally distributed, strongly consistent database that is overkill for a single-region workload and does not natively support SQL Server compatibility, requiring a full database migration; also, a global load balancer is unnecessary for a single-region deployment and adds latency. Option D is wrong because a standalone VM for the database lacks high availability across zones, failing the resilience requirement, and persistent disks alone do not provide the automated failover or managed backups that Cloud SQL offers, increasing operational overhead and downtime risk.

358
MCQhard

A company is building a real-time data pipeline that ingests events from IoT devices, processes them with Apache Beam, and stores results in BigQuery for analytics. The pipeline must handle spikes in traffic and guarantee exactly-once processing. Which combination of services should they use?

A.Cloud Pub/Sub, Dataproc, and BigQuery.
B.Cloud IoT Core, Data Fusion, and Cloud Bigtable.
C.Cloud Storage, Cloud Functions, and BigQuery.
D.Cloud Pub/Sub, Dataflow, and BigQuery.
AnswerD

Cloud Pub/Sub handles event ingestion with scalability, Dataflow provides exactly-once processing for streaming, and BigQuery serves as the analytics data warehouse.

Why this answer

Option D is correct because Cloud Pub/Sub provides scalable, asynchronous ingestion for IoT event spikes, Dataflow (which runs Apache Beam) offers exactly-once processing semantics via checkpointing and idempotent sinks, and BigQuery serves as the analytics destination. This combination meets all requirements: Pub/Sub decouples producers from consumers, Dataflow handles stateful processing with exactly-once guarantees, and BigQuery supports real-time streaming inserts.

Exam trap

Google Cloud often tests the misconception that any combination of Google Cloud services can achieve exactly-once processing, but the trap here is that only Dataflow (with its Beam runner) provides native exactly-once semantics for streaming pipelines, while Dataproc, Data Fusion, and Cloud Functions lack this guarantee.

How to eliminate wrong answers

Option A is wrong because Dataproc is a managed Hadoop/Spark service, not a native Apache Beam runner; while Spark can be used with Beam, Dataproc lacks Dataflow's built-in exactly-once semantics and auto-scaling optimizations for streaming pipelines. Option B is wrong because Cloud IoT Core is a device management service, not a messaging queue for event ingestion, and Data Fusion is a batch-oriented ETL tool (based on CDAP) that does not support real-time streaming or exactly-once processing; Cloud Bigtable is a NoSQL database, not an analytics warehouse like BigQuery. Option C is wrong because Cloud Storage is a batch-oriented object store with no native streaming ingestion (requiring polling or triggers), Cloud Functions has a 9-minute timeout and no exactly-once guarantee for streaming, and the combination lacks a managed stream processing engine like Dataflow.

359
MCQhard

A company runs a streaming data pipeline using Dataflow to process real-time data and insert into BigQuery. Recently, workers are frequently failing with out-of-memory errors and the pipeline latency is increasing. What should they do to resolve the issue?

A.Increase the worker machine type and memory
B.Use Cloud Pub/Sub for buffering and then load into BigQuery in batches
C.Enable autoscaling and increase the maximum number of workers
D.Enable Dataflow Streaming Engine
AnswerD

Streaming Engine moves state to a backend service, reducing memory usage per worker.

Why this answer

Dataflow Streaming Engine offloads the streaming data processing state and shuffle data from worker memory to a backend service, reducing memory pressure on workers. This directly addresses out-of-memory errors and latency increases without requiring manual scaling or machine type changes. It is the recommended solution for streaming pipelines experiencing memory bottlenecks.

Exam trap

Google Cloud often tests the misconception that scaling up resources (more memory or more workers) is the primary fix for streaming pipeline memory issues, when the real solution is to offload state management using Streaming Engine.

How to eliminate wrong answers

Option A is wrong because simply increasing worker machine type and memory does not resolve the root cause of state management overhead in streaming pipelines; it only delays the failure and increases cost without optimizing data flow. Option B is wrong because adding Pub/Sub buffering does not fix the memory issue within Dataflow workers; it shifts the problem to a different layer and may introduce additional latency and complexity. Option C is wrong because enabling autoscaling and increasing max workers can help with throughput but does not reduce per-worker memory consumption; workers may still fail with OOM errors if the pipeline's state or shuffle data exceeds available memory.

360
MCQeasy

A startup runs a web application on Google Kubernetes Engine (GKE) with 3 replicas serving user traffic. They use Cloud SQL for the database. Recently, the application experienced intermittent timeouts during peak hours. Monitoring shows high CPU usage on the GKE nodes and increased database connection pool exhaustion. The team is looking for a cost-effective solution that minimizes architectural changes. The application is stateless. What should they do?

A.Add more nodes to the GKE cluster and enable cluster autoscaling
B.Increase the number of pod replicas and configure a connection pooler like PgBouncer for Cloud SQL
C.Vertically scale the GKE node pool to larger machine types and increase Cloud SQL tier
D.Set up a Cloud SQL read replica and route read queries to it
AnswerB

More pods distribute CPU load, and a connection pooler reduces database connections, addressing both issues cost-effectively.

Why this answer

The application is stateless and experiencing database connection pool exhaustion alongside high CPU on GKE nodes. Increasing pod replicas distributes the CPU load across more pods, while adding a connection pooler like PgBouncer reduces the number of direct connections to Cloud SQL, preventing pool exhaustion without requiring database tier changes. This approach is cost-effective because it optimizes existing resources rather than scaling infrastructure.

Exam trap

Google Cloud often tests the misconception that scaling compute resources (nodes or pods) alone fixes database connection issues, but the trap here is that connection pool exhaustion is a database-layer problem requiring a connection pooler, not just more application instances.

How to eliminate wrong answers

Option A is wrong because adding more nodes and enabling cluster autoscaling addresses node CPU pressure but does not solve database connection pool exhaustion, which is a separate bottleneck at the database layer. Option C is wrong because vertically scaling both the GKE node pool and Cloud SQL tier is expensive and over-provisions resources, whereas the real issue is connection management, not raw compute or database capacity. Option D is wrong because setting up a Cloud SQL read replica only helps with read-heavy workloads, but the problem is connection pool exhaustion and high CPU on GKE nodes, not read scaling; the application is stateless and the bottleneck is at the database connection layer, not query distribution.

361
MCQmedium

Refer to the exhibit. A Cloud Run service is experiencing high latency and returns 502 errors when traffic spikes. What should the team adjust first?

A.Decrease containerConcurrency to 10
B.Increase the maximum number of instances
C.Increase the CPU limit to 2000m
D.Increase the memory limit to 512Mi
AnswerA

Lowering concurrency reduces the number of simultaneous requests per container, preventing overload and 502s.

Why this answer

The 502 errors and high latency during traffic spikes indicate that the Cloud Run service is overwhelmed by concurrent requests. Decreasing `containerConcurrency` to 10 limits the number of simultaneous requests each container instance can handle, which reduces the likelihood of request timeouts and 502 errors by forcing Cloud Run to scale out more instances sooner. This directly addresses the root cause—excessive concurrency per container—without incurring additional cost or requiring code changes.

Exam trap

Google Cloud often tests the misconception that scaling out (increasing max instances) or scaling up (increasing CPU/memory) is the immediate fix for latency and errors, when the real issue is often the concurrency limit per container.

How to eliminate wrong answers

Option B is wrong because increasing the maximum number of instances does not fix the per-container overload; it only allows more instances to be created, but if each instance still handles too many concurrent requests, they will still time out and return 502 errors. Option C is wrong because increasing the CPU limit to 2000m may improve processing speed but does not reduce the number of concurrent requests each container must handle; the bottleneck is concurrency, not raw CPU. Option D is wrong because increasing the memory limit to 512Mi addresses out-of-memory issues, not the high latency and 502 errors caused by excessive concurrent request handling.

362
Drag & Dropmedium

Drag and drop the steps to migrate a Compute Engine VM to a different region using a snapshot into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Snapshots are global resources, but disks are regional. Create the disk in the target region, then create the VM.

363
MCQhard

A company manages secrets for multiple microservices using Secret Manager. They need to ensure that each service can access only its own secrets, and that all access is logged. What is the best IAM architecture?

A.Create custom roles with secrets.get permission and bind to each service account at the individual secret resource.
B.Grant each service account the roles/secretmanager.secretAccessor role at the project level.
C.Use a single service account for all microservices with access to all secrets.
D.Grant each service account the roles/secretmanager.admin role at the secret level.
AnswerA

Custom roles allow fine-grained access; binding at secret level ensures least privilege.

Why this answer

Using custom roles with fine-grained permissions and audit logs on the secret level provides least privilege. Option A grants too much access (project-wide). Option B gives full access.

Option D does not control access per service.

364
MCQhard

A company has a hub-and-spoke VPC topology with multiple on-premises locations connected via Cloud VPN to the hub VPC. They notice IP conflicts because overlapping CIDR ranges are used in different spokes. The network team wants to allow communication between spokes without re-IPing. What should they do?

A.Use Cloud NAT in each spoke and private routing via the hub with network tags to distinguish ranges.
B.Use Cloud VPN tunnels between spokes through the hub.
C.Configure static routes in the hub to summarize ranges with a smaller prefix.
D.Create VPC peering between each spoke VPC.
AnswerA

Cloud NAT can map overlapping private IPs to a unique internal IP range within the hub, and tags can help route traffic appropriately, though this approach has limitations; alternative is to re-IP. But among options, this allows some communication without re-IPing.

Why this answer

Option A is correct because Cloud NAT in each spoke allows spoke VPCs to communicate with the hub using private IPs while avoiding IP conflicts by using network tags to differentiate overlapping ranges. The hub VPC acts as a central routing point, and with Cloud NAT, traffic from spokes can be source-NATed to unique IPs in the hub, enabling communication between spokes without re-IPing. This approach leverages private routing through the hub and avoids the need for direct peering or VPN tunnels between spokes.

Exam trap

The trap here is that candidates assume VPN tunnels or VPC peering can handle overlapping IPs through routing alone, but they forget that IP routing requires unique destination addresses, and without NAT, overlapping ranges cause black-holing or asymmetric routing.

How to eliminate wrong answers

Option B is wrong because Cloud VPN tunnels between spokes through the hub would still require unique IP ranges for routing; overlapping CIDRs would cause routing conflicts in the hub's route tables, as VPN tunnels rely on destination IP-based routing that cannot distinguish overlapping ranges without NAT. Option C is wrong because configuring static routes in the hub to summarize ranges with a smaller prefix does not resolve IP conflicts; summarization assumes non-overlapping ranges, and overlapping CIDRs would still cause ambiguity in route selection. Option D is wrong because VPC peering between each spoke VPC would directly expose overlapping IP ranges, leading to routing failures and inability to establish peering connections due to conflicting subnets.

365
Multi-Selecteasy

What are two best practices for designing a scalable Kubernetes architecture on GKE?

Select 2 answers
A.Use StatefulSets for stateless applications
B.Disable Cluster Autoscaler
C.Enable horizontal pod autoscaling
D.Use node pools with different machine types
E.Use a single zone cluster
AnswersC, D

Auto-scales pods based on metrics.

Why this answer

Option C is correct because Horizontal Pod Autoscaler (HPA) automatically scales the number of pod replicas based on observed CPU/memory utilization or custom metrics, which is essential for handling variable workloads in a scalable Kubernetes architecture on GKE. HPA works by querying the Metrics Server and adjusting the `replicas` field in the Deployment or StatefulSet, ensuring efficient resource usage without manual intervention.

Exam trap

Google Cloud often tests the misconception that StatefulSets are interchangeable with Deployments for stateless apps, or that disabling Cluster Autoscaler simplifies management, but the trap here is that candidates may overlook the need for multi-zonal clusters and autoscaling mechanisms to achieve true scalability and resilience in GKE.

366
MCQmedium

After a data corruption incident, a company needs to restore their Cloud SQL for PostgreSQL instance from a backup. What is the correct procedure to minimize downtime?

A.Restore the backup directly to the existing Cloud SQL instance
B.Create a new instance from the backup, then rename and delete the old instance
C.Use point-in-time recovery to restore to a time before corruption
D.Export the backup to Cloud Storage and import into the existing instance
AnswerA

Cloud SQL supports restoring from backup to the same instance with minimal steps.

Why this answer

Restoring a backup directly to the existing Cloud SQL instance is the fastest method to minimize downtime because it overwrites the current data in-place without requiring DNS propagation, connection string changes, or reconfiguration of applications. Cloud SQL supports in-place restore from automated or on-demand backups, which typically completes within minutes for most instance sizes, as the operation leverages the underlying storage layer to apply the backup snapshot directly to the existing persistent disk.

Exam trap

Google Cloud often tests the misconception that creating a new instance and renaming it is the standard recovery procedure, but the trap here is that candidates overlook the additional downtime caused by DNS propagation and connection string updates, making the direct in-place restore the correct choice for minimizing downtime.

How to eliminate wrong answers

Option B is wrong because creating a new instance from the backup, then renaming and deleting the old instance introduces significant additional downtime due to the time required for provisioning a new instance, DNS propagation (which can take up to 5 minutes or more), and the need to update application connection strings or IP addresses. Option C is wrong because point-in-time recovery (PITR) is used for transactional log replay to restore to a specific timestamp, but it requires that write-ahead logs (WAL) are still available and is not the correct procedure for restoring from a backup after data corruption; PITR is typically slower and more complex than a direct backup restore. Option D is wrong because exporting a backup to Cloud Storage and then importing it into the existing instance is a multi-step, time-consuming process that involves exporting the database dump (e.g., using pg_dump), uploading to Cloud Storage, and then running an import operation (e.g., using psql or the Cloud SQL import feature), which can take hours for large databases and is not designed for minimizing downtime.

367
MCQhard

A company is using BigQuery for analytics and wants to optimize query costs. They have many ad-hoc queries that scan large tables. What is the best practice?

A.Use clustering and partitioning on tables.
B.Use flat-rate pricing.
C.Use BI Engine.
D.Use materialized views.
AnswerA

Clustering and partitioning organize data to minimize scanned bytes, lowering per-query cost.

Why this answer

Clustering and partitioning reduce the amount of data scanned by BigQuery for each query, directly lowering query costs (which are based on bytes processed). Partitioning allows queries to skip entire partitions based on a date or timestamp column, while clustering sorts data within partitions, enabling block-level pruning for filter predicates. This is the most effective and scalable way to optimize ad-hoc queries on large tables without changing the query logic.

Exam trap

Google Cloud often tests the misconception that flat-rate pricing or BI Engine directly reduce per-query costs, when in fact they address capacity or latency, not the fundamental cost driver of bytes scanned.

How to eliminate wrong answers

Option B is wrong because flat-rate pricing (slot-based reservations) does not reduce the amount of data scanned; it only provides predictable costs for a fixed number of slots, and ad-hoc queries still incur slot usage but do not reduce per-query bytes processed. Option C is wrong because BI Engine is an in-memory acceleration service for interactive dashboards and repeated queries, not for optimizing ad-hoc analytical queries that scan large tables; it caches results but does not reduce scan bytes for new queries. Option D is wrong because materialized views precompute and store query results, which can speed up repeated queries but do not help with arbitrary ad-hoc queries that may not match the view definition; they also incur storage costs and require maintenance.

368
MCQhard

A company runs a critical application on Compute Engine instances in a managed instance group (MIG) across three zones in us-central1. The application uses a Cloud Spanner database. Recently, the application experienced increased latency and timeouts during peak hours. The operations team noticed that the MIG's CPU utilization is consistently above 80% during peak hours, and the autoscaler is configured to scale based on CPU utilization with a target of 60%. However, the autoscaler is not adding new instances quickly enough, causing performance degradation. The team also observed that new instances take over 5 minutes to become healthy and serve traffic. The health check is a simple TCP check on port 8080. The application startup script downloads large configuration files from Cloud Storage. What should the team do to improve the autoscaling response time and reduce latency?

A.Increase the minimum number of instances in the MIG to handle peak load.
B.Reduce the autoscaler target CPU utilization to 40% so it scales earlier.
C.Create a custom Compute Engine image that includes the application and configuration, and use it in the MIG.
D.Change the health check to HTTP and reduce the initial delay and check intervals.
AnswerC

Custom image reduces startup time, allowing faster scaling.

Why this answer

Option C is correct because the primary bottleneck is the long instance startup time (over 5 minutes) caused by downloading large configuration files from Cloud Storage at boot. By creating a custom Compute Engine image that bakes the application and configuration into the image, new instances can start serving traffic almost immediately, drastically reducing the time before they become healthy and the autoscaler can consider them in scaling decisions. This directly addresses the root cause of slow autoscaling response, as the autoscaler cannot add instances faster than they become healthy.

Exam trap

The trap here is that candidates focus on tuning the autoscaler parameters (CPU target, health check intervals) rather than identifying the actual bottleneck—the instance startup time—which is a common misconception that autoscaling speed is purely a function of scaling policy settings.

How to eliminate wrong answers

Option A is wrong because increasing the minimum number of instances only handles baseline load, not the dynamic scaling speed during peak hours; it does not fix the slow instance startup time that delays autoscaler response. Option B is wrong because reducing the target CPU utilization to 40% would cause the autoscaler to trigger earlier, but it still cannot add instances faster than the 5-minute startup delay; it would only increase the number of pending instances without improving latency. Option D is wrong because changing the health check to HTTP and reducing intervals only affects how quickly the MIG detects an instance as healthy after it starts, but the fundamental problem is the 5-minute startup time itself—no health check tuning can make the instance boot faster.

369
MCQhard

An organization has a security policy that prohibits the use of external IP addresses on Compute Engine instances to reduce attack surface. They want to enforce this policy across all new and existing projects. Which approach should they use?

A.Use Organization Policy with constraint compute.vmExternalIpAccess
B.Use IAM conditions to prevent creation of instances with external IPs
C.Use Cloud Security Command Center to detect and alert on external IPs
D.Use VPC Firewall rules to block traffic to external IPs
AnswerA

This constraint explicitly prevents creation of VMs with external IPs and can be applied at org level.

Why this answer

Organization policy with constraint constraints/compute.vmExternalIpAccess can be set to block external IPs. IAM conditions are not effective for this; firewall rules do not prevent the IP assignment; and SCC only detects violations after creation.

370
Multi-Selecthard

Which THREE actions can help reduce costs for a BigQuery workload that runs frequent, ad-hoc analytical queries on a large dataset?

Select 3 answers
A.Enable automatic schema detection to avoid manual schema definition.
B.Partition the table by a date or timestamp column.
C.Create materialized views for common aggregation queries.
D.Use clustering on columns frequently used in filter clauses.
E.Use flat-rate pricing with reserved slots.
AnswersB, C, D

Partitioning allows query pruning, scanning only relevant partitions.

Why this answer

Partitioning the table by a date or timestamp column (Option B) reduces the amount of data scanned by BigQuery for queries that filter on that column, directly lowering query costs (pay-per-byte model). It also improves performance by pruning irrelevant partitions, making it a core cost-saving technique for ad-hoc analytical workloads.

Exam trap

Google Cloud often tests the distinction between cost-reduction techniques that reduce bytes scanned (partitioning, clustering, materialized views) versus pricing model choices (flat-rate vs. on-demand), leading candidates to mistakenly select flat-rate pricing as a cost-saving action for ad-hoc queries.

371
Multi-Selecthard

A company uses Cloud CDN to accelerate content delivery. They notice that some users receive stale content even after purging the cache. Which THREE factors could cause this?

Select 3 answers
A.The content is compressed with gzip.
B.The purge request did not complete successfully.
C.The content was cached at multiple edge locations and not all were purged.
D.The CDN is configured with signed URLs.
E.The origin server returns a long Cache-Control: max-age header, causing the CDN to ignore the purge.
AnswersB, C, E

Failed purge operations leave stale cache intact.

Why this answer

Option B is correct because a purge request that does not complete successfully will leave cached content intact, causing users to receive stale data. Cloud CDN processes purge requests asynchronously, and if the request fails (e.g., due to network issues or invalid paths), the cache is not invalidated. This directly explains why stale content persists despite an attempted purge.

Exam trap

Google Cloud often tests the misconception that a purge is instantaneous and global, leading candidates to overlook that incomplete or failed purge requests can leave stale content at some edge locations.

372
MCQmedium

A company is using Cloud CDN to accelerate content delivery. They notice increased costs from cache misses. What can they do?

A.Pre-cache popular content.
B.Use a larger cache size.
C.Increase cache TTL.
D.Use compression.
AnswerA

Pre-caching ensures popular content is always in the cache, reducing misses and cost.

Why this answer

Pre-caching popular content ensures that the most frequently requested objects are already stored in Cloud CDN edge caches before users request them. This directly reduces cache misses because the content is proactively loaded, eliminating the need for the first user to trigger a fetch from the origin. By targeting high-demand assets, you minimize origin requests and lower the cost associated with cache misses.

Exam trap

Google Cloud often tests the misconception that increasing cache TTL or cache size can fix cache misses, when in reality these settings only affect how long content stays fresh or how much can be stored, not whether the content is present in the first place.

How to eliminate wrong answers

Option B is wrong because cache size in Cloud CDN is not a configurable parameter; the service automatically manages cache storage based on usage and does not allow manual resizing, so increasing cache size is not a valid action. Option C is wrong because increasing cache TTL (Time-To-Live) only extends how long a cached object is considered fresh, but it does not address the root cause of cache misses—objects that are not in the cache at all will still miss regardless of TTL. Option D is wrong because compression reduces the size of objects transferred but does not affect cache hit ratio; it can even increase CPU load at the origin and edge without preventing cache misses.

373
MCQmedium

A company is using Cloud Load Balancing with backend services across multiple regions. They notice that traffic is not being evenly distributed and some backends are overloaded. Which configuration should they check?

A.Session affinity settings
B.Firewall rules
C.Cloud CDN caching
D.Health check frequency
AnswerA

Sticky sessions can lead to uneven load distribution.

Why this answer

Session affinity (sticky sessions) directs all requests from a single client to the same backend instance. If enabled, this can cause uneven load distribution because certain clients may generate disproportionately more traffic, overloading their pinned backends while others remain underutilized. Disabling or properly configuring session affinity allows the load balancer to distribute requests based on its default algorithm (e.g., round-robin or least-connections), improving balance across backends.

Exam trap

Google Cloud often tests the misconception that health checks or firewall rules are responsible for load distribution, when in fact session affinity is the primary configuration that can cause uneven traffic patterns by overriding the default balancing algorithm.

How to eliminate wrong answers

Option B is wrong because firewall rules control allowed traffic to/from backends but do not influence how the load balancer distributes incoming requests among healthy instances. Option C is wrong because Cloud CDN caching reduces load on backends by serving cached content at edge locations, but it does not affect the distribution of requests that reach the load balancer's backend pool. Option D is wrong because health check frequency determines how often the load balancer probes backend health, affecting failover speed but not the balancing algorithm or distribution of traffic among healthy backends.

374
MCQmedium

A healthcare SaaS provider runs workloads in Google Cloud and needs to comply with HIPAA. They use Cloud SQL for PostgreSQL and want to encrypt data at rest with customer-managed encryption keys (CMEK). Which steps must they take?

A.Create a Cloud KMS key ring and key, then specify the key when creating the Cloud SQL instance
B.Use customer-supplied encryption keys (CSEK) by uploading your own key material
C.Enable CMEK in the Cloud SQL instance's settings after creation
D.Create a Cloud HSM key and grant the Cloud SQL service account access to it
AnswerA

This is the correct process for CMEK in Cloud SQL.

Why this answer

Option A is correct because Cloud SQL for PostgreSQL supports CMEK only at instance creation time. You must first create a Cloud KMS key ring and key in the same region as the instance, then specify that key when creating the Cloud SQL instance. This ensures that the data at rest is encrypted with a customer-managed key, meeting HIPAA compliance requirements for control over encryption keys.

Exam trap

The trap here is that candidates often assume CMEK can be enabled after instance creation (like enabling encryption on a bucket) or confuse CMEK with CSEK, but Cloud SQL requires the key to be specified at creation time and does not support post-creation encryption changes.

How to eliminate wrong answers

Option B is wrong because CSEK (customer-supplied encryption keys) is not supported for Cloud SQL; it is used only with Compute Engine and Cloud Storage, and it requires you to manage key material outside of Google Cloud, which does not meet the CMEK requirement. Option C is wrong because CMEK cannot be enabled after creation; Cloud SQL requires the key to be specified at instance creation time, and you cannot change the encryption key later. Option D is wrong because while Cloud HSM can be used as a key source for CMEK, simply creating a Cloud HSM key and granting the Cloud SQL service account access is insufficient; you must also create a key ring and key in Cloud KMS (or HSM) and specify that key during instance creation, and the service account must be granted the Cloud KMS CryptoKey Encrypter/Decrypter role, not just any access.

375
MCQeasy

A media company wants to serve publicly available images and videos to a global audience with low latency. Which Google Cloud service should they primarily use?

A.Cloud Storage with public bucket serving the files.
B.Cloud CDN with Cloud Storage as the origin.
C.Cloud Run with a container that serves the files.
D.Compute Engine with an HTTP server.
AnswerB

Cloud CDN caches content from Cloud Storage at edge locations, reducing latency for global users.

Why this answer

Cloud CDN with Cloud Storage as the origin is the correct choice because it uses Google's global edge cache to serve publicly available images and videos from Cloud Storage, minimizing latency for a global audience. Cloud CDN caches content at edge locations worldwide, reducing the round-trip time to the origin bucket, while Cloud Storage provides scalable, durable object storage. This combination is purpose-built for delivering static content with low latency and high throughput.

Exam trap

The trap here is that candidates often choose Cloud Storage with a public bucket (Option A) because it seems simplest, overlooking that Cloud CDN is required to achieve global low-latency delivery by caching content at edge locations.

How to eliminate wrong answers

Option A is wrong because a public Cloud Storage bucket serves files directly from the bucket's regional location, which does not provide global edge caching, resulting in higher latency for users far from the bucket's region. Option C is wrong because Cloud Run is a serverless compute platform designed for running containerized applications, not optimized for serving static files at scale; it lacks built-in edge caching and would incur unnecessary compute costs and cold-start latency. Option D is wrong because Compute Engine with an HTTP server requires manual scaling, maintenance, and lacks integrated global caching, making it inefficient and costly for serving static content to a global audience compared to a managed CDN solution.

Page 4

Page 5 of 7

Page 6

All pages