Google Professional Cloud Architect (PCA) — Questions 526600

1000 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQhard

An organization requires that all Compute Engine instances in a project must have a specific tag for firewall rule compliance. How can they enforce this?

A.Use IAM roles to restrict instance creation
B.Use a startup script to add the tag
C.Use a mandatory tag via organization policy
D.Use Cloud Asset Inventory
AnswerC

Organization policies can enforce constraints like `compute.requireTags`.

Why this answer

Option C is correct because Organization Policies in Google Cloud can enforce constraints that require resources, including Compute Engine instances, to have specific labels or tags. The `compute.requireOsLogin` or custom constraint `compute.requireInstanceTag` can be used to mandate that all instances must have a particular tag, and any instance creation that violates this policy will be denied at the API level, ensuring compliance without relying on user behavior.

Exam trap

The trap here is that candidates often confuse IAM roles with Organization Policies, thinking that restricting creation permissions (Option A) is sufficient, but IAM cannot enforce resource-level attributes like tags, which is a common misconception in policy-based governance questions.

How to eliminate wrong answers

Option A is wrong because IAM roles control who can create instances, not what tags are applied to the instances; they cannot enforce a specific tag value. Option B is wrong because a startup script runs after the instance is created, so it cannot prevent the creation of an instance without the required tag, and the instance would already exist in violation of the firewall rule compliance. Option D is wrong because Cloud Asset Inventory is a service for discovering and monitoring cloud resources, not for enforcing policies or preventing non-compliant resource creation.

527
MCQeasy

A company wants to ensure that all audit logs for a project are retained for 7 years for compliance purposes. Which type of audit logs in Cloud Logging should they configure for the longest retention?

A.Export all audit logs to Cloud Storage with a retention policy
B.Admin Activity audit logs
C.Data Access audit logs
D.System Event audit logs
AnswerA

Exporting to Cloud Storage allows you to set a retention policy of 7 years.

Why this answer

Cloud Logging retains logs for a default period, but for long-term retention you can export logs to Cloud Storage. All audit logs (Admin Activity, Data Access, System Event) can be exported and stored in a bucket with retention policies. The question might refer to the default retention: Admin Activity logs are retained for 400 days, Data Access for 30 days, but you can export to Cloud Storage for longer.

The best answer is to export all audit logs to Cloud Storage.

528
MCQeasy

Which Google Cloud service automatically computes the optimal size or tier for underutilized Compute Engine instances and generates recommendations to reduce cost?

A.Cloud Monitoring
B.Cloud Profiler
C.Cost Management
D.Recommender (Active Assist)
AnswerD

The Recommender service includes rightsizing recommendations for underutilized VMs.

Why this answer

Active Assist includes rightsizing recommendations that analyze VM utilization and suggest appropriate machine types or tiers to reduce cost without sacrificing performance.

529
MCQhard

An e-commerce platform uses Cloud Spanner in a multi-region configuration. They want to achieve the highest possible availability SLA. Which deployment configuration should they choose?

Answer options not yet available.

Why this answer

Cloud Spanner offers a 99.999% SLA for multi-region configurations. To achieve this, you must use a multi-region instance (e.g., nam3, eur3) that replicates data across at least three regions. A single-region configuration only offers 99.99% SLA.

530
MCQmedium

A company is deploying a microservices application on Google Kubernetes Engine (GKE). They want to optimize costs without sacrificing availability. They have varying traffic patterns. Which strategy should they recommend?

A.Use committed use discounts with a 3-year term on all nodes.
B.Use GKE Autopilot with a single node pool.
C.Use a regional cluster with node pools of different machine types.
D.Use node auto-provisioning with preemptible nodes.
AnswerD

Node auto-provisioning dynamically creates node pools and preemptible nodes lower cost.

Why this answer

Node auto-provisioning with preemptible nodes automatically creates node pools based on workload demands and uses cheaper preemptible VMs, reducing cost for variable traffic. Regional clusters focus on high availability, not cost. Committed use discounts lock in usage and are not optimal for variable traffic.

GKE Autopilot provides convenience but may not be the most cost-efficient with preemptible options.

531
MCQmedium

Your team uses Cloud SQL for PostgreSQL for an e-commerce application. You want to perform point-in-time recovery (PITR) to recover from a logical error that occurred 10 minutes ago. Which prerequisites are required?

A.Automated backups must be enabled, and the instance must be using the InnoDB storage engine
B.Automated backups and binary logging must be enabled
C.Point-in-time recovery is not supported for Cloud SQL PostgreSQL
D.Automated backups must be enabled, and write-ahead logging (WAL) must be active
AnswerD

PostgreSQL PITR requires automated backups and WAL.

Why this answer

Cloud SQL PITR requires automated backups and binary logging (for MySQL) or write-ahead logging (for PostgreSQL) to be enabled. Automated backups must be configured, and the instance must be using the appropriate database flags. For PostgreSQL, 'cloudsql.logical_decoding' and 'cloudsql.enable_pitr' are needed.

532
MCQmedium

The exhibit shows the output of a 'gcloud compute instances describe' command for an instance. What is the most likely impact on reliability if the host machine needs maintenance?

A.The instance will be terminated and then restarted, causing a brief downtime.
B.The instance will not be affected because automatic restart is enabled.
C.The instance will be backed up automatically before maintenance.
D.The instance will be live migrated to another host without interruption.
AnswerA

With TERMINATE, the instance is shut down and later restarted on a healthy host, resulting in downtime.

Why this answer

Option A is correct because when a host machine requires maintenance, Google Compute Engine instances that are not configured for live migration will be terminated and then restarted on another host. This behavior is determined by the 'onHostMaintenance' setting; if it is set to 'TERMINATE' (the default for instances with GPUs or preemptible VMs), the instance stops and restarts, causing brief downtime. The exhibit likely shows 'onHostMaintenance: TERMINATE' or the instance lacks live migration support, making termination and restart the expected outcome.

Exam trap

Google Cloud often tests the distinction between 'automatic restart' (which handles crash recovery) and 'onHostMaintenance' (which handles planned maintenance), causing candidates to mistakenly think automatic restart prevents downtime during maintenance.

How to eliminate wrong answers

Option B is wrong because 'automatic restart' is a separate setting that controls whether an instance restarts after a failure or crash, not how it behaves during host maintenance; it does not prevent downtime from maintenance events. Option C is wrong because Google Compute Engine does not automatically back up instances before host maintenance; backups must be configured separately via snapshots or images. Option D is wrong because live migration is only possible if the instance has 'onHostMaintenance' set to 'MIGRATE' and does not have GPUs, local SSDs, or preemptible status; the exhibit likely shows a configuration that disables live migration, such as a GPU attached or the setting explicitly set to 'TERMINATE'.

533
MCQmedium

A security team needs to detect and redact personally identifiable information (PII) from documents uploaded to Cloud Storage before they are stored. Which GCP service should they use?

A.Cloud Audit Logs
B.Cloud Data Loss Prevention (DLP) API
C.Security Command Center
D.Access Transparency
AnswerB

Why this answer

Cloud DLP (Data Loss Prevention) API can inspect and de-identify sensitive data in documents and can be integrated with Cloud Storage workflows.

534
Multi-Selectmedium

A company is moving a legacy application to Google Cloud. The application uses a PostgreSQL database and must be re-platformed with minimal code changes. They require high availability across zones and automatic failover within the same region. Which TWO database services meet these requirements? (Choose 2.)

Select 2 answers
A.AlloyDB for PostgreSQL
B.Cloud SQL for PostgreSQL
C.Firestore
D.Cloud Bigtable
E.Cloud Spanner
AnswersA, B

AlloyDB is PostgreSQL-compatible, provides high availability, and requires minimal code changes.

Why this answer

Cloud SQL for PostgreSQL provides regional high availability with automatic failover across zones. AlloyDB is PostgreSQL-compatible, offers high availability with a primary and standby instance, and is optimized for performance. Cloud Spanner is globally distributed but requires more code changes.

Bigtable is not PostgreSQL-compatible. Firestore is NoSQL.

535
MCQhard

An organization wants to establish a dedicated, low-latency connection between their on-premises data center and GCP with a guaranteed SLA of 99.99% uptime. They anticipate high bandwidth usage but want to avoid per-GB egress charges. Which connectivity option should they choose?

A.Dedicated Cloud Interconnect
B.Partner Cloud Interconnect
C.Cloud VPN with HA VPN gateway
D.Classic VPN
AnswerA

Dedicated Interconnect provides 99.99% SLA, high bandwidth, and no egress charges, meeting all requirements.

Why this answer

Dedicated Cloud Interconnect provides a direct physical connection with SLA up to 99.99%, high bandwidth, and no egress charges, ideal for high-volume hybrid workloads.

536
MCQhard

An engineer is troubleshooting a Cloud Build trigger that fails with the error 'PERMISSION_DENIED: Cloud Build service account does not have permission to access Artifact Registry'. The build needs to push a Docker image to Artifact Registry. What is the correct IAM role to assign to the Cloud Build service account?

A.roles/artifactregistry.writer
B.roles/artifactregistry.viewer
C.roles/editor
D.roles/storage.objectAdmin
AnswerA

This role allows uploading artifacts to Artifact Registry, which includes pushing Docker images.

Why this answer

The Cloud Build service account (usually project-number@cloudbuild.gserviceaccount.com) needs the Artifact Registry Writer role to push images. Editor role is too broad; Viewer is read-only; Storage Object Admin is for Cloud Storage, not Artifact Registry.

537
MCQmedium

A company has a multi-project Google Cloud environment with strict compliance requirements. They need to ensure that all projects enforce a uniform set of constraints, such as requiring CMEK for Compute Engine disk encryption and blocking the use of public IPs on VMs. They have defined these constraints using Organization Policies at the organization level. However, the security team discovers that some projects are not enforcing the constraints because they have been overridden at the project level by the respective project owners. The security team wants a solution that prevents project-level overrides while maintaining the ability to apply exceptions at a folder level when approved. What should they do?

A.Deploy Forseti Security to automatically remediate when projects override policies.
B.Use Cloud Asset Inventory to monitor for non-compliant projects and alert the security team.
C.Manually remove the overridden policies in each project and set the constraints at the organization level again.
D.Move all projects under a common folder and set the Organization Policies at that folder level with 'enforce: true'.
AnswerD

Folder-level policies cannot be overridden by project-level policies, ensuring enforcement while allowing folder-level exceptions.

Why this answer

Option B is correct because setting the Organization Policy at the folder level (e.g., a 'compliance' folder that contains all projects) with the 'enforce: true' setting on constraints ensures that project-level overrides are not possible unless explicitly allowed by the folder policy. Option A is wrong because removing overrides manually is not scalable and does not prevent future overrides. Option C is wrong because Cloud Asset Inventory is for auditing, not enforcement.

Option D is wrong because Forseti is a security tool but does not provide the policy enforcement mechanism of Organization Policies.

538
MCQhard

A data analytics team needs to run complex SQL queries on a large dataset stored in Cloud Storage (CSV files). The queries are ad-hoc and require fast execution. The data is updated daily. Which Google Cloud service should they use to query the data directly in Cloud Storage with minimal setup?

A.Dataproc
B.BigQuery
C.Dataflow
D.Cloud SQL
AnswerB

BigQuery supports external tables that query data directly from Cloud Storage, enabling fast ad-hoc SQL.

Why this answer

BigQuery can query external data sources including Cloud Storage using federated queries, but for ad-hoc SQL on CSV files, BigQuery is the best choice. Cloud SQL is not designed for external data. Dataproc is for Spark/Hadoop.

Dataflow is for stream/batch processing.

539
Multi-Selectmedium

Which TWO actions are required to allow a private GKE cluster to pull container images from Artifact Registry in the same project?

Select 2 answers
A.Create a firewall rule allowing outbound traffic to Artifact Registry IP ranges.
B.Set up VPC Network Peering with the Artifact Registry service.
C.Configure Cloud NAT for the GKE cluster.
D.Enable Private Google Access on the subnet where the GKE nodes are deployed.
E.Grant the Artifact Registry Reader role to the GKE service account.
AnswersD, E

Private Google Access allows nodes without external IPs to reach Google APIs.

Why this answer

Option D is correct because Private Google Access enables GKE nodes with only internal IP addresses to reach Google APIs and services, including Artifact Registry, over Google's private network rather than the public internet. Option E is correct because the GKE node's service account must have the Artifact Registry Reader role (roles/artifactregistry.reader) to authenticate and pull container images from the registry.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for private clusters to access Google APIs, but Private Google Access is the correct mechanism for reaching Google-managed services like Artifact Registry without public IPs.

540
MCQmedium

A company needs to connect their on-premises data center to Google Cloud with a dedicated, low-latency, and highly available connection. They require at least 10 Gbps throughput and want to avoid internet-based VPN. Which connectivity option should they choose?

A.Dedicated Cloud Interconnect
B.Partner Cloud Interconnect
C.Classic VPN
D.HA VPN
AnswerA

Dedicated Interconnect provides a direct, private connection with up to 10 Gbps per circuit, low latency, and high availability.

Why this answer

Dedicated Cloud Interconnect provides a direct physical connection between on-premises and Google Cloud, offering high throughput (10 Gbps or more), low latency, and high availability. Partner Interconnect uses a third-party provider, introducing potential latency. HA VPN uses the internet but can be high availability; still internet-based.

Classic VPN is a single tunnel with lower reliability.

541
Multi-Selectmedium

A company runs a web application on GKE and wants to expose it to the internet using a global HTTP(S) load balancer with Cloud CDN. Which TWO GCP resources are required to configure this setup? (Choose TWO.)

Select 2 answers
A.Kubernetes Ingress resource with a GCE ingress controller
B.Cloud NAT gateway
C.Backend service with health check configuration
D.A Kubernetes Service of type LoadBalancer
E.Cloud VPN tunnel
AnswersA, C

Ingress with GCE controller creates an external HTTP(S) load balancer and integrates with Cloud CDN.

Why this answer

An Ingress resource with the ingress-gce controller (or a standalone NEG) is needed to route traffic from the load balancer to GKE services. A backend service defines the health checks and traffic distribution.

542
MCQhard

A financial services company is designing a multi-region disaster recovery architecture for a critical application. The application runs on Compute Engine with a stateful backend using Cloud Spanner. The Recovery Time Objective (RTO) is 1 hour, and the Recovery Point Objective (RPO) is 15 minutes. What architecture meets these requirements cost-effectively?

A.Deploy the application in two regions with active-active traffic load balancing and Cloud Spanner multi-region configuration.
B.Deploy in one region with scheduled snapshots to Cloud Storage and use persistent disk snapshots for recovery.
C.Deploy in two regions with active-passive using Cloud Load Balancing and Cloud Spanner backup/restore.
D.Use a single region with Cloud SQL for PostgreSQL and enable cross-region replication using Cloud SQL replica.
AnswerA

Cloud Spanner multi-region provides synchronous replication with RPO < 15 min and automatic failover meets RTO.

Why this answer

Option A is correct because it uses Cloud Spanner's multi-region configuration, which provides synchronous replication across regions with automatic failover, meeting an RPO of 15 minutes (typically seconds) and an RTO of 1 hour. Active-active traffic load balancing with Compute Engine ensures that the application can immediately route traffic to the healthy region, minimizing downtime without the need for manual failover or backup/restore operations.

Exam trap

The trap here is that candidates often confuse Cloud Spanner's backup/restore (asynchronous, slow) with its multi-region configuration (synchronous, fast), or assume that active-passive with backups can meet low RTO/RPO when in reality only synchronous replication can achieve sub-minute RPO and automatic failover.

How to eliminate wrong answers

Option B is wrong because scheduled snapshots to Cloud Storage and persistent disk snapshots are asynchronous and can take longer than 15 minutes to capture, potentially exceeding the RPO; also, recovery from snapshots involves manual steps that likely exceed the 1-hour RTO. Option C is wrong because Cloud Spanner backup/restore is an asynchronous process that can take hours to restore a database, far exceeding the 1-hour RTO, and active-passive setups introduce failover delays that may not meet the RTO. Option D is wrong because Cloud SQL for PostgreSQL with cross-region replication uses asynchronous replication, which can result in data loss exceeding the 15-minute RPO, and Cloud SQL does not support the same multi-region synchronous replication capabilities as Cloud Spanner.

543
MCQmedium

An organization has multiple GCP projects managed by a central operations team. They want to define a common VPC configuration in a host project and allow service projects to use it. Which networking feature should they use?

A.Shared VPC
B.Private Service Connect
C.Cloud VPN
D.VPC peering
AnswerA

Shared VPC enables a host project to share VPC networks with service projects.

Why this answer

Shared VPC allows a host project to contain shared VPC networks that service projects can use. VPC peering is for connecting separate networks. Private Service Connect is for accessing managed services.

Cloud VPN is for on-premises connectivity.

544
Multi-Selectmedium

A team is deploying a stateful application on GKE. They want to ensure that the application's pods are distributed across different zones for high availability and that during cluster upgrades, at least one pod remains available. Which THREE features should they configure?

Select 3 answers
A.Pod topology spread constraints
B.StatefulSet for the application
C.Cluster autoscaler
D.Horizontal Pod Autoscaler
E.PodDisruptionBudget
AnswersA, B, E

This spreads pods across zones or other topology domains.

Why this answer

Pod topology spread constraints distribute pods across zones. PodDisruptionBudget ensures minimum available pods during voluntary disruptions. Cluster autoscaler is not directly for availability, but for scaling nodes.

StatefulSet is for stateful workloads but doesn't guarantee zone distribution without constraints.

545
Multi-Selecteasy

A company wants to store infrequently accessed archival data that must be retained for 7 years. They need low storage cost and retrieval times of a few hours are acceptable. Which TWO storage classes should they consider? (Choose TWO.)

Select 2 answers
A.Nearline
B.Standard
C.Regional
D.Coldline
E.Archive
AnswersD, E

Coldline is low-cost for infrequent access (quarterly) and retrieval in hours.

Why this answer

Coldline has a 90-day minimum storage duration and is for data accessed less than once a quarter. Archive has a 365-day minimum and is for data accessed less than once a year. Both are suitable for archival with retrieval times in hours (Coldline) or longer (Archive).

Standard and Nearline are for more frequently accessed data.

546
MCQmedium

A company is migrating its on-premises Oracle database to Cloud SQL for PostgreSQL. The database team wants to minimize downtime during migration. Which approach should they use?

A.Set up Oracle GoldenGate to replicate to Cloud SQL.
B.Use Database Migration Service for PostgreSQL with continuous migration from Oracle via Homogeneous Migration.
C.Take a physical backup of Oracle and restore to Cloud SQL.
D.Export the database as a dump file, upload to Cloud Storage, and import into Cloud SQL.
AnswerB

DMS supports minimal downtime via continuous replication.

Why this answer

Database Migration Service (DMS) for PostgreSQL with continuous migration is the correct approach because it supports ongoing change data capture (CDC) from Oracle to Cloud SQL for PostgreSQL, enabling near-zero downtime. DMS handles schema conversion and data replication continuously, allowing the target to stay synchronized until a cutover, which minimizes downtime compared to batch methods.

Exam trap

Google Cloud often tests the misconception that any 'migration service' automatically supports heterogeneous migrations, but here the trap is that Database Migration Service for PostgreSQL is specifically designed for PostgreSQL targets and includes built-in schema conversion from Oracle, whereas options like GoldenGate or dump/restore are either too complex or cause downtime.

How to eliminate wrong answers

Option A is wrong because Oracle GoldenGate is a third-party tool that requires separate licensing, complex configuration, and is not natively integrated with Cloud SQL for PostgreSQL; it is overkill and not the recommended Google Cloud service for this migration. Option C is wrong because a physical backup of Oracle (e.g., RMAN) is platform-specific and cannot be directly restored to Cloud SQL for PostgreSQL, which uses a different database engine and storage format. Option D is wrong because exporting as a dump file and importing is a one-time, offline process that requires the source database to be quiesced or taken offline, causing significant downtime, and does not support continuous replication.

547
MCQmedium

A company runs a critical application on Compute Engine and needs a disaster recovery strategy with a Recovery Time Objective (RTO) of less than 5 minutes and a Recovery Point Objective (RPO) of less than 1 minute. The application state is stored on persistent disks. Which solution meets these requirements?

A.Scheduled snapshots to multi-regional Cloud Storage bucket
B.Managed instance group with regional persistent disks across multiple zones
C.VM images stored in a different region using Cloud Storage
D.Cloud Storage Coldline with lifecycle policies
AnswerB

Regional PDs replicate data synchronously across zones, enabling fast failover and RPO under 1 minute.

Why this answer

Managed instance groups with multi-zone deployment and regional persistent disks provide synchronous replication across zones, achieving low RPO (seconds) and automatic failover for RTO under 5 minutes. Snapshots have higher RPO. VM images are for static boot disks.

Coldline storage is for archiving.

548
Multi-Selecthard

An organization wants to implement a change management strategy for a microservices application on GKE, allowing gradual rollouts and immediate rollback if issues arise. Which three practices should they adopt? (Choose three.)

Answer options not yet available.

Why this answer

Canary deployments, feature flags, and automated rollbacks are key practices for gradual rollouts and rollback. Blue/green is also good, but not among the options. Manual approval slows rollouts.

Phased migrations are for database changes.

549
MCQhard

A financial services company uses VPC Service Controls to protect their project containing BigQuery datasets and Cloud Storage buckets. They have a perimeter that includes the BigQuery service. Users report that they cannot export data from BigQuery to Cloud Storage using the web console. The export job fails with an access denied error. The team needs to allow exports while maintaining data exfiltration prevention. The users have the necessary IAM permissions (BigQuery Data Editor, Storage Object Admin) on the appropriate resources. What should the architect do?

A.Add Cloud Storage to the same VPC Service Controls perimeter.
B.Remove BigQuery from the VPC Service Controls perimeter.
C.Create an access level that permits exports during business hours.
D.Grant the users the Storage Object Admin role at the bucket level.
AnswerA

Correct: This allows controlled data flow between BigQuery and Cloud Storage within the perimeter.

Why this answer

Option A is correct because VPC Service Controls perimeters enforce data exfiltration prevention by default, blocking egress from protected services (like BigQuery) to unprotected services (like Cloud Storage). Adding Cloud Storage to the same perimeter allows BigQuery to export data to Cloud Storage while still preventing data from leaving the perimeter. The users already have the necessary IAM roles (BigQuery Data Editor and Storage Object Admin), so the issue is solely the perimeter boundary, not permissions.

Exam trap

The trap here is that candidates often confuse IAM permissions with VPC Service Controls boundaries, assuming that granting the correct IAM roles (like Storage Object Admin) will resolve the access denied error, when in fact the error is caused by the perimeter blocking cross-service egress, not by insufficient IAM privileges.

How to eliminate wrong answers

Option B is wrong because removing BigQuery from the perimeter would disable all VPC Service Controls protections for BigQuery, exposing the datasets to data exfiltration risks, which contradicts the requirement to maintain data exfiltration prevention. Option C is wrong because access levels control ingress based on client attributes (e.g., IP address, device state) and do not affect egress permissions between services within a perimeter; the export failure is a perimeter boundary issue, not an access level restriction. Option D is wrong because the users already have the Storage Object Admin role at the bucket level (as stated in the question), and the error is an access denied from the perimeter, not from IAM; granting the same role again does not resolve the VPC Service Controls boundary.

550
MCQeasy

Which IAM role should be granted to a user who needs to view but not modify resources in a project?

A.roles/editor
B.roles/viewer
C.roles/owner
D.roles/browser
AnswerB

Viewer provides read-only access.

Why this answer

The Viewer role (roles/viewer) provides read-only access to all resources in a project.

551
Multi-Selecthard

Which THREE factors should be considered when choosing a Google Cloud region for deploying a low-latency application serving global users? (Choose three.)

Select 3 answers
A.Proximity to your user base to minimize network latency.
B.Availability of the specific Google Cloud services required by the application.
C.Pricing differences between regions due to variations in compute and storage costs.
D.Compliance with data residency requirements (e.g., GDPR, CCPA).
E.Number of zones in the region to ensure high availability.
AnswersA, B, D

Closer regions reduce round-trip time.

Why this answer

Options A, C, and D are correct. Latency to users, service availability, and data residency are key; cost is secondary, and number of zones is not a primary factor.

552
MCQhard

An organization has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They launched a Compute Engine instance in subnet-a with an internal IP 10.0.1.2 and a public IP. They want the instance to only allow HTTPS traffic from the internet. Which firewall rule should they create?

A.Ingress rule: allow tcp:0-65535, source 0.0.0.0/0, target tag 'https-server'
B.Egress rule: allow tcp:443, destination 0.0.0.0/0, target tag 'https-server'
C.Ingress rule: allow tcp:443, source 10.0.0.0/16, target tag 'https-server'
D.Ingress rule: allow tcp:443, source 0.0.0.0/0, target tag 'https-server'
AnswerD

This rule correctly allows inbound HTTPS from any source to instances with the tag.

Why this answer

Option D is correct because the instance needs to accept incoming HTTPS traffic (TCP port 443) from the internet. An ingress firewall rule with source 0.0.0.0/0 allows traffic from any external IP, and applying it to instances with the target tag 'https-server' ensures only tagged instances are affected. This matches the requirement to allow only HTTPS from the internet.

Exam trap

The trap here is that candidates often confuse ingress vs. egress rules or mistakenly restrict the source to the VPC range (10.0.0.0/16) thinking it includes the internet, when in fact it only allows traffic from within the VPC.

How to eliminate wrong answers

Option A is wrong because it allows all TCP ports (0-65535) from the internet, which violates the requirement to allow only HTTPS traffic (port 443). Option B is wrong because it is an egress rule, which controls outbound traffic from the instance, not inbound HTTPS traffic from the internet. Option C is wrong because it restricts the source to the internal VPC range (10.0.0.0/16), which blocks all internet traffic and does not meet the requirement for allowing HTTPS from the internet.

553
MCQeasy

A developer accidentally deleted a bucket in Cloud Storage. The bucket had object versioning enabled. How can the bucket and its objects be restored?

A.Contact Cloud Support to restore the bucket from the undisclosed backup within a limited time window.
B.Restore the bucket from the Trash in the Cloud Console.
C.Enable bucket lock and then undo deletion.
D.Use the gsutil ls -a command to list deleted buckets and gsutil cp to restore.
AnswerA

Google can restore deleted buckets within a short period.

Why this answer

When a Cloud Storage bucket is deleted, even with versioning enabled, the bucket itself is removed along with its objects. Google Cloud does not provide a self-service restore option for deleted buckets; instead, it maintains an internal, undisclosed backup for a limited time (typically 7 days). Only Cloud Support can initiate the restoration process from this backup, making Option A the correct approach.

Exam trap

Google Cloud often tests the misconception that versioning provides a safety net for bucket deletion, but versioning only protects objects within an existing bucket—it does not prevent or undo the deletion of the bucket itself.

How to eliminate wrong answers

Option B is wrong because Cloud Storage does not have a 'Trash' feature for buckets; the Trash in Cloud Console is for Compute Engine resources like VM instances, not for storage buckets. Option C is wrong because bucket lock is a feature for retention policies (e.g., preventing object deletion or modification), not for undoing a bucket deletion; once a bucket is deleted, there is no 'undo deletion' operation. Option D is wrong because the `gsutil ls -a` command lists object versions within an existing bucket, not deleted buckets; there is no `gsutil` command to list or restore a deleted bucket.

554
MCQmedium

A company has a microservices architecture on GKE. One service is failing due to resource exhaustion. How can they proactively prevent this?

A.Use vertical pod autoscaling.
B.Set up autoscaling based on CPU utilization.
C.Configure a horizontal pod autoscaler with custom metrics.
D.Implement a cluster autoscaler.
AnswerC

Custom metrics can detect specific exhaustion signals.

Why this answer

Option B is correct because a horizontal pod autoscaler with custom metrics (e.g., memory, request queue depth) can detect resource exhaustion early and scale pods before failure. Option A is wrong because CPU-based autoscaling may not capture all exhaustion types. Option C is wrong because vertical pod autoscaling may not react fast enough.

Option D is wrong because cluster autoscaler scales nodes, not pods.

555
Matchingmedium

Match each GCP data processing service to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stream and batch data processing (Apache Beam)

Managed Hadoop and Spark clusters

Asynchronous messaging for event ingestion

Visual data integration pipelines

Workflow orchestration (Apache Airflow)

Why these pairings

These are data processing services in GCP.

556
MCQmedium

A company is using Cloud SQL for MySQL and wants to encrypt data at rest with a key that they manage and rotate. They also want to avoid any additional cost for the encryption feature. What should they do?

A.Use Customer-Supplied Encryption Keys (CSEK).
B.Use Google-managed encryption keys (default).
C.Use Cloud HSM to manage the keys.
D.Enable Customer-Managed Encryption Keys (CMEK) with Cloud KMS.
AnswerD

CMEK allows you to manage and rotate keys, but Cloud KMS usage may incur costs. However, among the options, this is the only way to meet the requirement.

Why this answer

Cloud SQL supports CMEK, which allows customers to use their own keys from Cloud KMS. However, CMEK usage incurs charges for Cloud KMS key versions. The correct answer is to use CMEK, but note that there is no additional cost for the Cloud SQL encryption itself, only for KMS usage.

The question asks to avoid additional cost, but CMEK does add KMS cost. However, the other options are wrong: Google-managed keys cost nothing but don't meet management requirement, CSEK is deprecated, and HSM adds cost.

557
MCQeasy

A developer needs to store a database password securely and access it from a Cloud Run service. Which Google Cloud service should they use?

A.Cloud Storage
B.Firestore
C.Secret Manager
D.Cloud KMS
AnswerC

Secret Manager is designed for storing secrets with versioning and IAM.

Why this answer

Secret Manager securely stores secrets like passwords, API keys, and certificates. It integrates with Cloud Run via volume mounts or environment variables.

558
Multi-Selecteasy

You need to enable high availability for a new Cloud SQL for MySQL instance. Which TWO configurations must you set? (Choose 2)

Select 2 answers
A.Set the 'cloudsql.mysql' database flag for HA
B.Create a read replica in a different region
C.Enable automatic backups
D.Select the 'High availability (regional)' option when creating the instance
E.Enable binary logging
AnswersC, D

Automatic backups are required for HA failover and point-in-time recovery.

Why this answer

To enable HA for Cloud SQL, you must create a regional instance (which automatically provisions a standby in a different zone) and ensure automatic backups are enabled (required for failover and PITR). Read replicas are for read scaling, not HA. Binary logging is for replication and PITR, but it is enabled by default for HA instances.

Database flags are not required for HA.

559
MCQhard

A global gaming company deploys a leaderboard service using Cloud Spanner with a single-region configuration. They need a Recovery Point Objective (RPO) of 5 seconds and a Recovery Time Objective (RTO) of 1 minute in the event of a regional outage. What should they do?

A.Set up a cross-region read replica using Cloud SQL.
B.Use Compute Engine instances in multiple zones with a global load balancer to replicate data.
C.Configure cross-region backups with a 5-second recovery window.
D.Deploy Cloud Spanner in a multi-region configuration.
AnswerD

Multi-region Spanner provides synchronous replication across regions, enabling automatic failover with RPO near zero and RTO within minutes.

Why this answer

Cloud Spanner multi-region configurations provide automatic synchronous replication across regions, achieving RPO of near zero seconds and RTO of minutes (failover is automatic). Single-region does not provide cross-region failover. Multi-region is required for such low RPO/RTO.

Backups are point-in-time and slower to restore. Compute Engine is irrelevant.

560
MCQeasy

A company needs to store secrets such as API keys and database passwords securely and access them from Compute Engine instances. Which service provides secret storage with built-in IAM integration and automatic rotation?

A.Secret Manager
B.Cloud HSM
C.Cloud Storage
D.Cloud KMS
AnswerA

Correct. Secret Manager is purpose-built for secrets.

Why this answer

Secret Manager is the correct service for storing secrets with IAM and versioning. It also supports rotation via Cloud Functions or Pub/Sub.

561
Multi-Selectmedium

A company is designing a highly available application on GCE. Which TWO steps should they take to ensure reliability?

Select 2 answers
A.Use a global external HTTP(S) load balancer.
B.Use a managed instance group with autohealing.
C.Configure health checks that check the application endpoint.
D.Use persistent disks without snapshots.
E.Deploy instances in a single zone to avoid latency.
AnswersB, C

Automatically replaces unhealthy instances.

Why this answer

Option B is correct because a managed instance group (MIG) with autohealing automatically replaces unhealthy VM instances based on health check results, ensuring the application remains available even if individual instances fail. This is a core reliability pattern for stateless applications on Compute Engine, as it provides self-healing infrastructure without manual intervention.

Exam trap

Google Cloud often tests the distinction between load balancing (traffic distribution) and instance-level recovery (autohealing), causing candidates to incorrectly select a global load balancer as the sole reliability measure without recognizing the need for health-check-driven instance replacement.

562
MCQhard

An engineer is designing a Bigtable schema for time-series data consisting of sensor readings. Each sensor emits a reading every second. The access pattern is to retrieve all readings for a specific sensor within a time range. Which row key design will provide the best performance?

A.Use row key: [sensor_id]#[reverse_timestamp]
B.Use a single row per sensor with column qualifiers as timestamps
C.Use timestamp as the row key and sensor ID as column qualifier
D.Use a random prefix to distribute writes evenly
AnswerA

This ensures all readings for a sensor are close together and sorted by timestamp, optimizing range scans.

Why this answer

Bigtable stores rows sorted by key. A row key structured as [sensor_id]#[reverse_timestamp] ensures that all data for a sensor is contiguous, and sorting by reverse timestamp allows recent data to be retrieved first. A single row key per sensor with column qualifiers would cause hotspots and limit scalability.

563
MCQmedium

A company is using Cloud SQL for PostgreSQL and needs to run a one-time heavy analytical query that takes over 30 minutes and uses 100% CPU. The production database is serving user traffic with high QPS. What should the company do to run the query without impacting production?

A.Run the query directly on the primary instance during low traffic hours.
B.Create a read replica of the production instance and run the query on the replica.
C.Use Cloud SQL's pgBouncer to pool connections and queue the query.
D.Create a clone of the production instance and run the query on the clone.
AnswerB

Read replicas are designed for offloading read-only workloads.

Why this answer

Option B is correct because a read replica in Cloud SQL for PostgreSQL is a separate instance that asynchronously replicates data from the primary. Running the heavy analytical query on the replica offloads the CPU-intensive workload from the production primary, ensuring user-facing traffic with high QPS is not impacted. The replica can handle read-only queries without affecting the primary's performance or availability.

Exam trap

Google Cloud often tests the distinction between a read replica (which offloads read traffic) and a clone (which is a point-in-time copy not kept in sync), leading candidates to choose the clone option because they confuse it with a replica's ability to handle production queries without impact.

How to eliminate wrong answers

Option A is wrong because even during low traffic hours, a query using 100% CPU on the primary instance will still degrade performance for any concurrent user requests, risking latency spikes or timeouts. Option C is wrong because pgBouncer is a connection pooler that manages database connections, not a query scheduler or resource isolator; it cannot queue or throttle a single heavy query to prevent CPU saturation. Option D is wrong because a clone creates a new primary instance from a snapshot, which requires provisioning time and does not provide ongoing replication; it is suitable for testing or development but not for running a one-time query without impacting production, as the clone is not kept in sync and the heavy query still runs on a separate instance that does not offload the primary's workload.

564
MCQeasy

Your company runs a critical application on Compute Engine instances in a managed instance group across three zones. The application writes logs to local disk. You are asked to improve the reliability of log retention and ensure logs are available in case of instance failure. You have already configured a health check that automatically recreates instances. However, after a recent zonal outage, logs from the affected instances were lost. You need to implement a solution that preserves logs even when instances are terminated. What should you do?

A.Increase the size of the local SSD to accommodate more logs and set a longer retention period.
B.Configure each instance to write logs to a persistent disk that is retained after instance deletion.
C.Install the Cloud Logging agent on each instance and configure it to stream application logs to Cloud Logging.
D.Mount a Cloud Storage bucket using gcsfuse on each instance and write logs directly to the bucket.
AnswerC

Cloud Logging provides centralized, durable log storage independent of instance lifecycle.

Why this answer

Option C is correct because the Cloud Logging agent streams logs directly to Cloud Logging (now part of Google Cloud's operations suite), which stores logs independently of the Compute Engine instances. This ensures logs are preserved even if instances are terminated due to a zonal outage or health check recreation, as logs are sent to a centralized, durable logging service rather than being stored on local disk.

Exam trap

Google Cloud often tests the misconception that persistent disks or Cloud Storage buckets are sufficient for log durability, but the key requirement is centralized log management with automatic streaming, which only Cloud Logging provides without additional complexity or latency.

How to eliminate wrong answers

Option A is wrong because increasing local SSD size and retention period does not protect logs from instance termination; local SSDs are ephemeral and their data is lost when an instance is deleted or recreated. Option B is wrong because persistent disks are not automatically retained after instance deletion unless the 'delete-on-terminate' flag is set to false, and even then, logs would be tied to a specific disk that may not survive a zonal outage if not replicated; the question requires a solution that works across instance failures, not just disk retention. Option D is wrong because while gcsfuse can mount a Cloud Storage bucket, writing logs directly to a bucket introduces latency and potential consistency issues, and the bucket is not a log management solution; Cloud Logging is purpose-built for log ingestion, analysis, and retention.

565
MCQeasy

You want to create a log-based alert in Cloud Logging that triggers when a specific error message appears in application logs. What is the first step?

A.Create a logs-based metric that filters for the error message
B.Configure a Pub/Sub notification channel for alerts
C.Create a log sink to export logs to Cloud Storage
D.Set up an alerting policy directly on the log entries without a metric
AnswerA

A logs-based metric is required to track the error count.

Why this answer

To create a log-based alert, you first define a logs-based metric that counts occurrences of the error pattern. Then you create an alerting policy that monitors this metric and triggers when the count exceeds a threshold. Notifications are configured in the alerting policy, not the metric.

566
Multi-Selecthard

A financial services company is designing a multi-tier application on Google Cloud. The application must meet PCI DSS compliance, with data encrypted at rest and in transit. They plan to use Cloud SQL for PostgreSQL for transactional data and Cloud Storage for archival data. Which TWO actions should the architect take to meet compliance requirements?

Select 2 answers
A.Configure client-side encryption in the application code
B.Rely on Google-managed default encryption for all data
C.Enable customer-managed encryption keys (CMEK) on Cloud SQL and Cloud Storage
D.Use VPC Service Controls to restrict data access
E.Use Cloud HSM with a key generated outside of Google Cloud
AnswersC, D

CMEK provides control over key management required for PCI DSS.

Why this answer

Option C is correct because enabling CMEK on Cloud SQL and Cloud Storage allows the company to use their own encryption keys, which is often required by PCI DSS to demonstrate control over key management. CMEK ensures data at rest is encrypted with keys managed via Cloud KMS, providing auditability and separation of duties beyond Google-managed default encryption.

Exam trap

The trap here is that candidates often assume Google-managed default encryption is sufficient for PCI DSS, but the exam tests the nuance that many compliance frameworks require customer-managed keys (CMEK) to demonstrate control over the encryption process, not just encryption itself.

567
MCQmedium

A company runs a web application on Google Kubernetes Engine (GKE) with Cluster Autoscaler enabled. During a traffic spike, the application becomes slow and some requests timeout. The cluster has sufficient CPU and memory headroom. What is the most likely cause and solution?

A.Increase the node pool's machine type to a larger size.
B.Enable Cluster Autoscaler to add more nodes.
C.Deploy the application in a regional cluster for higher availability.
D.Configure Horizontal Pod Autoscaler (HPA) based on CPU utilization or custom metrics.
AnswerD

HPA automatically scales pods based on load, resolving the timeout issue.

Why this answer

The correct answer is D because the cluster has sufficient CPU and memory headroom, indicating that the issue is not about cluster capacity but about pod-level scaling. The Horizontal Pod Autoscaler (HPA) automatically scales the number of pod replicas based on observed CPU utilization or custom metrics, which directly addresses the application slowdown and timeouts during traffic spikes by distributing the load across more pods.

Exam trap

Google Cloud often tests the distinction between node-level scaling (Cluster Autoscaler) and pod-level scaling (HPA), trapping candidates who assume that adding more nodes is the solution when the cluster already has headroom, whereas the real issue is insufficient pod replicas to handle the load.

How to eliminate wrong answers

Option A is wrong because increasing the node pool's machine type addresses node-level resource constraints, but the cluster already has sufficient CPU and memory headroom, so the bottleneck is at the pod level, not the node level. Option B is wrong because Cluster Autoscaler is already enabled and the cluster has headroom, so adding more nodes would not solve the problem of insufficient pod replicas to handle the traffic spike. Option C is wrong because deploying in a regional cluster improves availability and resilience to zone failures, but does not directly address the performance degradation and timeouts caused by insufficient application instances during a traffic spike.

568
Multi-Selectmedium

Your organization is moving a legacy monolithic application to Google Kubernetes Engine (GKE). The application currently runs on a single virtual machine with a local MySQL database. You need to design a cloud-native architecture that improves scalability and reliability. Which two actions should you take? (Choose TWO.)

Select 2 answers
A.Deploy the entire application in a single container with a large custom machine type to handle load.
B.Refactor the application into microservices and deploy each as a separate deployment in GKE.
C.Expose the application using a simple Service of type LoadBalancer with round-robin distribution.
D.Use Cloud SQL for MySQL instead of running the database in the same cluster.
E.Use a single Pod with multiple containers that communicate via localhost to reduce latency.
AnswersB, D

Microservices allow independent scaling and faster deployments.

Why this answer

Option B is correct because refactoring the monolithic application into microservices and deploying each as a separate Deployment in GKE aligns with cloud-native principles, enabling independent scaling, fault isolation, and easier updates. This approach improves scalability and reliability by allowing each microservice to scale horizontally based on demand, and failures in one service do not cascade to others.

Exam trap

Google Cloud often tests the misconception that simply containerizing a monolith or using a larger machine type is sufficient for cloud-native scalability, when in fact true scalability requires decoupling components into independently scalable units and separating stateful services like databases.

569
MCQeasy

An engineer runs the above command and sees two firewall rules that allow SSH access. A security review requires that SSH access be allowed only from the bastion subnet 10.0.1.0/24. What should the engineer do to meet the requirement?

A.Add a firewall rule with priority 500 that denies SSH from all IPs
B.Change the priority of allow-ssh-ingress to 2000
C.Delete the allow-ssh-ingress rule
D.Remove the target tag 'ssh-allowed' from allow-ssh-from-bastion
AnswerC

Deleting the overly permissive rule leaves only the bastion-specific rule, meeting the requirement.

Why this answer

The correct answer is C because the allow-ssh-ingress rule has a higher priority (lower number) than the allow-ssh-from-bastion rule, allowing SSH from any source IP. Deleting this rule ensures that only the lower-priority rule (allow-ssh-from-bastion) remains, which restricts SSH access to the bastion subnet 10.0.1.0/24. In Google Cloud VPC firewall rules, lower priority numbers indicate higher precedence, so the allow-ssh-ingress rule (priority 1000) overrides the allow-ssh-from-bastion rule (priority 2000) for any traffic matching both.

Exam trap

Google Cloud often tests the misconception that adding a deny rule with a higher priority (lower number) will block unwanted traffic while preserving the allow rule, but candidates forget that the deny rule would also block the intended bastion traffic, breaking the requirement.

How to eliminate wrong answers

Option A is wrong because adding a deny rule with priority 500 would block SSH from all IPs, including the bastion subnet, since deny rules take precedence over allow rules at the same or lower priority; this would break the requirement to allow SSH from the bastion. Option B is wrong because changing the priority of allow-ssh-ingress to 2000 would make it equal to the allow-ssh-from-bastion rule, but both would still allow SSH from all IPs (since allow-ssh-ingress has no source restriction), and with equal priority the evaluation order is undefined, potentially still allowing unwanted access. Option D is wrong because removing the target tag 'ssh-allowed' from allow-ssh-from-bastion would prevent that rule from applying to any instances, effectively blocking all SSH access, including from the bastion subnet.

570
MCQhard

A company uses Cloud Armor to protect their HTTP Load Balancer from DDoS attacks. Recently, they experienced a targeted attack that bypassed Cloud Armor's predefined rules. The attack involved a high rate of legitimate-looking requests from a small set of IPs that made the application unresponsive. The team needs to block the attack quickly without affecting legitimate users. What should they do?

A.Increase the load balancer's capacity to absorb the attack.
B.Configure rate limiting with a threshold based on the normal traffic pattern.
C.Enable Google Cloud Armor Adaptive Protection.
D.Add the attacking IPs to a Cloud Armor deny list.
AnswerC

Adaptive Protection learns normal traffic patterns and automatically blocks anomalous high-rate requests.

Why this answer

Option C is correct because Cloud Armor Adaptive Protection uses machine learning to analyze traffic patterns and automatically create tailored rules to block application-layer DDoS attacks that bypass predefined rules. In this scenario, the attack consists of legitimate-looking requests from a small set of IPs, which Adaptive Protection can detect as anomalous and generate a custom signature to block without manual intervention, preserving access for legitimate users.

Exam trap

The trap here is that candidates may choose Option D (adding IPs to a deny list) because it seems like a quick fix, but Cisco tests the understanding that Cloud Armor Adaptive Protection is the correct automated solution for application-layer DDoS attacks with legitimate-looking traffic, not manual IP blocking.

How to eliminate wrong answers

Option A is wrong because increasing the load balancer's capacity only absorbs volumetric attacks but does not address the application-layer nature of this attack; the high rate of legitimate-looking requests will still exhaust application resources regardless of capacity. Option B is wrong because configuring rate limiting with a threshold based on normal traffic patterns requires prior knowledge of those patterns and may inadvertently block legitimate users if the threshold is set too low, or fail to block the attack if the threshold is too high; it also does not leverage Cloud Armor's adaptive capabilities. Option D is wrong because adding the attacking IPs to a deny list is reactive and assumes the IPs are static; the attack may use rotating IPs or spoofed addresses, making manual deny lists ineffective and unsustainable for a rapid response.

571
MCQmedium

A company is deploying a web application on Compute Engine behind a global HTTP(S) load balancer. They want to restrict access to only traffic from specific IP ranges. Which load balancer feature should they use?

A.Cloud Armor security policies.
B.VPC firewall rules.
C.Identity-Aware Proxy (IAP).
D.Cloud CDN.
AnswerA

Cloud Armor can allow/deny traffic based on IP.

Why this answer

Cloud Armor security policies are the correct choice because they allow you to define IP-based allow/deny rules at the edge of Google's network, directly integrated with the global HTTP(S) load balancer. This provides granular access control based on source IP ranges before traffic reaches your backend instances, which is exactly what the requirement specifies.

Exam trap

The trap here is that candidates often confuse VPC firewall rules with Cloud Armor, assuming that firewall rules can filter on the original client IP behind a load balancer, but in reality, VPC firewall rules only see the load balancer's proxy IPs, making Cloud Armor the only viable option for IP-based access control at the edge.

How to eliminate wrong answers

Option B is wrong because VPC firewall rules operate at the instance level (network interface) and cannot filter traffic based on the original client IP when a global HTTP(S) load balancer is used, as the load balancer's health check and proxy IPs are seen instead. Option C is wrong because Identity-Aware Proxy (IAP) controls access based on user identity and context (e.g., Google accounts, OAuth), not on source IP ranges, and is designed for application-layer authentication, not network-layer IP filtering. Option D is wrong because Cloud CDN is a content delivery network that caches content at edge locations to improve latency and reduce load, and it does not provide any IP-based access control or security policy enforcement.

572
MCQmedium

A team is using Cloud Build to deploy a microservice to Cloud Run. They want to ensure that only containers built from a specific trusted branch in their source repository are deployed to production. Which Cloud Build feature should they use?

A.Binary Authorization attestors
B.Cloud Build trigger branch filtering
C.Cloud Deploy delivery pipeline approvals
D.Artifact Registry IAM permissions
AnswerB

Cloud Build triggers can be scoped to specific branches using regex, ensuring only trusted branches trigger builds.

Why this answer

Cloud Build triggers can be configured to respond only to specific branches (e.g., 'main' or 'release/*'). By setting the trigger's included files filter and branch regex, they can restrict builds to that branch. Artifact Registry controls access to container images, but does not restrict deployment by branch.

Cloud Deploy is a separate service for progressive delivery. Binary Authorization enforces policies at deployment time but does not filter by branch.

573
MCQeasy

A company wants to restrict access to a Cloud Storage bucket so that only a specific service account can read objects. The bucket contains sensitive data. Which identity and access management (IAM) approach should the architect use?

A.Grant the service account roles/iam.serviceAccountUser on the bucket.
B.Use a signed URL to allow access for the service account.
C.Grant the service account roles/storage.admin on the bucket.
D.Grant the service account roles/storage.objectViewer on the bucket and remove all other bindings.
AnswerD

This restricts read access to only the service account.

Why this answer

Option D is correct because the principle of least privilege dictates that the service account should be granted only the minimal permissions required to read objects, which is roles/storage.objectViewer. By removing all other bindings, the bucket becomes accessible exclusively to that service account, ensuring that no other identities (users, groups, or other service accounts) can read the sensitive data. This approach directly enforces the requirement using IAM roles on the bucket resource.

Exam trap

Google Cloud often tests the misconception that granting a broad role like roles/storage.admin is acceptable for simplicity, but the trap here is that candidates overlook the principle of least privilege and the specific read-only requirement, leading them to choose an overly permissive role.

How to eliminate wrong answers

Option A is wrong because roles/iam.serviceAccountUser grants permission to impersonate the service account (e.g., to run jobs as that account), not to read objects from a Cloud Storage bucket; it does not provide any storage access. Option B is wrong because signed URLs are used to grant temporary access to specific objects for any user (including non-Google accounts) via a cryptographic signature, not to restrict access to a specific service account; they are not an IAM-based access control mechanism. Option C is wrong because roles/storage.admin grants full control over the bucket, including the ability to delete objects and modify bucket metadata, which violates the principle of least privilege and exceeds the read-only requirement.

574
MCQeasy

A developer wants to store and retrieve non-relational data with flexible schema and automatic scaling. Which Google Cloud service should they use?

A.Cloud Bigtable.
B.Cloud SQL.
C.Firestore.
D.Cloud Spanner.
AnswerC

Firestore is NoSQL with flexible schema and auto-scaling.

Why this answer

Firestore is a NoSQL document database that supports flexible schema and automatic scaling, making it ideal for non-relational data. It offers real-time synchronization, offline support, and serverless scaling, which aligns with the requirement for storing and retrieving data without manual sharding or capacity planning.

Exam trap

Google Cloud often tests the distinction between NoSQL databases by presenting Cloud Bigtable as a trap for 'non-relational' requirements, but candidates overlook that Bigtable is optimized for analytical workloads with fixed column families, not for flexible schema and automatic scaling in transactional applications.

How to eliminate wrong answers

Option A is wrong because Cloud Bigtable is a wide-column NoSQL database designed for large analytical workloads (e.g., time-series, IoT) with high throughput, but it does not support flexible schema in the same way as Firestore (it requires predefined column families) and is not optimized for transactional, real-time client-side access. Option B is wrong because Cloud SQL is a fully managed relational database service (MySQL, PostgreSQL, SQL Server) that enforces a fixed schema and does not automatically scale beyond its instance limits without manual resizing or read replicas. Option D is wrong because Cloud Spanner is a globally distributed relational database that provides strong consistency and horizontal scaling, but it requires a predefined schema and SQL-based relational model, making it unsuitable for non-relational data with flexible schema.

575
MCQhard

A company runs a critical web application behind an external HTTPS load balancer. The backend consists of a managed instance group of Compute Engine instances. Users report intermittent 502 Bad Gateway errors. The load balancer logs show occasional health check failures for some instances. The instances have a custom health check endpoint that returns a 200 status code only if the application is fully healthy. The application logs do not show any errors, and CPU/memory usage on the instances is normal. What should be the first troubleshooting step to identify the root cause?

A.Change the health check to a TCP check on the application's port
B.Increase the health check check interval and decrease the unhealthy threshold
C.Increase the number of instances in the managed instance group
D.Check the application's logs on the instances to see why the health check endpoint sometimes returns non-200
AnswerD

This directly investigates the health check failure.

Why this answer

Option B is correct. The health check is failing, and since the instances show normal CPU/memory, the application might be slow to respond under certain conditions. Checking the application logs on the instances will reveal why the health check endpoint returns non-200.

Option A is wrong because increasing the interval doesn't fix the underlying issue. Option C is wrong because adding instances won't help if the health check is flaky. Option D is wrong because TCP health check would not validate application health and could mask the problem.

576
MCQhard

A media company uses Cloud CDN with an HTTP(S) Load Balancer to serve video content from Cloud Storage. After a month, they notice increased costs due to high cache miss rates. Analysis shows that many requests include a unique query parameter for analytics tracking. What is the most effective way to improve cache hit ratio while preserving analytics data?

A.Configure a custom cache key on the backend bucket to exclude the analytics parameter
B.Move the content to a different Cloud Storage bucket with no caching
C.Increase the minimum TTL on the backend bucket to 1 hour
D.Disable caching for requests with query parameters
AnswerA

Excluding the analytics parameter from the cache key ensures all requests for the same content share one cache entry, increasing hit ratio.

Why this answer

When query parameters are unique per request (like tracking IDs), they cause cache misses. The solution is to define a cache key that ignores that specific parameter, so the same content is cached once. Setting a custom cache key on the backend bucket is the correct approach.

Disabling CDN or increasing TTL does not solve the parameter issue. Removing caching altogether would hurt performance and increase egress costs.

577
MCQmedium

A company runs a monolithic application on Compute Engine. They want to modernize by moving to microservices on Google Kubernetes Engine (GKE) to improve deployment frequency and resource utilization. However, they are concerned about the increased operational complexity. Which approach best balances modernization benefits with operational overhead?

A.Keep the monolithic application on Compute Engine and use Cloud Monitoring to optimize resource utilization.
B.Migrate all application components to Cloud Run and use Cloud Tasks for asynchronous communication.
C.Rewrite the entire application as microservices and deploy on GKE with Istio for service mesh.
D.Identify stateless components to migrate to Cloud Run, and keep stateful components on GKE with managed services like Cloud Spanner.
AnswerD

Balances modernization with reduced complexity by using serverless where appropriate.

Why this answer

Option D is correct because it pragmatically balances modernization benefits with operational overhead by migrating only stateless components to Cloud Run (a fully managed serverless platform that reduces operational complexity) while keeping stateful components on GKE with managed services like Cloud Spanner. This approach improves deployment frequency and resource utilization without requiring a full rewrite, and it leverages Cloud Run's automatic scaling and zero infrastructure management to minimize operational burden.

Exam trap

Google Cloud often tests the misconception that full microservices migration (Option C) is always the best modernization path, but the trap here is that candidates overlook the operational overhead of service mesh and full rewrites, failing to recognize that a hybrid approach using serverless for stateless components reduces complexity while still achieving modernization goals.

How to eliminate wrong answers

Option A is wrong because it fails to modernize the architecture—keeping the monolithic application on Compute Engine does not improve deployment frequency or resource utilization, and Cloud Monitoring alone cannot address the core issues of monolithic scaling and slow deployments. Option B is wrong because migrating all application components to Cloud Run is impractical for stateful workloads (Cloud Run is stateless by design, with no persistent local storage), and Cloud Tasks alone does not solve the complexity of managing stateful services or inter-service communication in a microservices architecture. Option C is wrong because rewriting the entire application as microservices and deploying on GKE with Istio introduces significant operational overhead (service mesh configuration, sidecar proxies, and increased complexity) that contradicts the goal of balancing modernization benefits with operational overhead, and it ignores the possibility of a phased migration.

578
Multi-Selectmedium

A company wants to monitor the performance of their microservices deployed on Cloud Run. They need to capture request latencies and error rates, and also trace requests across services. Which TWO services should they use?

Select 2 answers
A.Cloud Trace
B.Error Reporting
C.Cloud Profiler
D.Cloud Logging
E.Cloud Monitoring
AnswersA, E

Cloud Trace provides distributed tracing to capture request latencies across services.

Why this answer

Cloud Monitoring collects metrics like latency and error rates and can create dashboards and alerts. Cloud Trace collects latency data across services for distributed tracing.

579
MCQmedium

A team needs to run load tests against their application deployed on GKE to validate performance under peak traffic. They want to simulate 100,000 concurrent users generating HTTP requests. Which tool should they use?

Answer options not yet available.

Why this answer

Cloud Load Testing tools (formerly known as Cloud Load Testing) can simulate large numbers of concurrent users generating HTTP requests against GKE deployments. Locust is an open-source tool, but the question asks for a Google Cloud tool. The managed service scales better for large tests.

580
MCQmedium

A data engineer needs to scan a Cloud Storage bucket for personally identifiable information (PII) and de-identify the data before loading it into BigQuery. Which Google Cloud service should they use?

A.Cloud DLP
B.Cloud Dataprep
C.Cloud Composer
D.Cloud Data Fusion
AnswerA

Cloud DLP is designed for inspecting and de-identifying sensitive data.

Why this answer

Cloud Data Loss Prevention (DLP) API can inspect data for PII and de-identify it using techniques like masking, tokenization, or bucketing.

581
MCQeasy

Refer to the exhibit. A DevOps engineer created this Terraform configuration to deploy a Compute Engine instance. After applying, they notice the instance is not accessible from the internet. What is the most likely cause?

A.The machine type e2-medium does not support public IP addresses.
B.The instance is not attached to a VPC network.
C.No firewall rule allows ingress traffic to the instance.
D.The boot disk size is too small to run the operating system.
AnswerC

Firewall rules are needed to allow inbound traffic; the default network may not have appropriate rules.

Why this answer

The most likely cause is that no firewall rule allows ingress traffic to the instance. By default, GCP instances are created with a VPC network that has implied deny-all ingress rules, and unless a specific firewall rule (e.g., allowing tcp:22 for SSH or tcp:80 for HTTP) is applied to the instance's network tags or service account, all inbound traffic from the internet is blocked. The Terraform configuration shown in the exhibit likely omitted a `google_compute_firewall` resource or did not assign the necessary network tags to the instance.

Exam trap

Google Cloud often tests the misconception that assigning a public IP automatically makes an instance internet-accessible, but the trap here is that without a corresponding ingress firewall rule, the instance remains isolated regardless of the public IP.

How to eliminate wrong answers

Option A is wrong because the machine type e2-medium fully supports public IP addresses; public IP assignment is controlled by the `access_config` block in the Terraform resource, not by the machine type. Option B is wrong because every Compute Engine instance is automatically attached to a default VPC network unless explicitly overridden; the exhibit does not indicate any misconfiguration that would leave the instance networkless. Option D is wrong because the boot disk size (e.g., 10 GB default) is sufficient for most operating systems; the issue is about network accessibility, not disk capacity.

582
MCQmedium

A company needs to store petabytes of time-series IoT sensor data and query it with single-digit millisecond latency at millions of reads per second. The data has a simple key-value structure with timestamps. Which Google Cloud database is MOST appropriate?

A.Firestore
B.Cloud Bigtable
C.Cloud Spanner
D.BigQuery
AnswerB

Bigtable is the correct choice: wide-column NoSQL, designed for time-series and IoT workloads, single-digit ms latency, and scales to millions of QPS with additional nodes.

Why this answer

Cloud Bigtable is designed for exactly this use case — petabyte-scale, low-latency (single-digit ms), high-throughput NoSQL storage for time-series, IoT, and financial data. It scales horizontally by adding nodes. BigQuery is optimised for analytics (seconds-to-minutes latency), Cloud SQL is for OLTP (limited to tens of thousands of QPS), and Firestore is for document data with hierarchical structure.

583
MCQmedium

Refer to the exhibit. An engineer is reviewing health check logs for a target pool. The instance web-01 is still serving traffic despite two consecutive unhealthy health checks. Why is the instance not removed from the target pool?

A.The health check's timeoutSec is too high, causing delayed removal.
B.The forwarding rule is not using the target pool, so health checks have no effect.
C.The healthyThreshold is set to 2, requiring two healthy checks before re-adding, but the instance only had one healthy check.
D.The instance was removed after the second failure but then re-added after the next healthy check, so it is serving traffic again.
AnswerD

The instance was marked unhealthy after two consecutive failures, but the next health check succeeded, so it was re-added to the target pool.

Why this answer

The health check has unhealthyThreshold: 2, meaning 2 consecutive failures are required to mark the instance unhealthy. However, after two failures, the next check was successful, so the instance was not removed because it recovered before the threshold was met? Actually, the logs show two consecutive failures (10:00:16 and 10:00:21) but then a healthy check at 10:00:26. The instance might have been marked unhealthy after the second failure, but since the health check interval is 5 seconds, the removal might not have happened yet? Or the instance was removed but then quickly re-added? The correct answer is that the health check has a checkIntervalSec of 5, and the unhealthyThreshold is 2, meaning the instance is marked unhealthy after 2 consecutive failures.

The next check at 10:00:26 was healthy, so the instance might have been removed and then re-added? Actually, the instance is removed only after being unhealthy for a certain period? In GCP, once an instance fails the unhealthy threshold, it is removed from the target pool. But the exhibit shows that after the two failures, the next check is healthy. The removal may occur after the second failure, but the instance could be re-added after the next healthy check.

The question asks why it is still serving traffic. Perhaps because the removal and re-addition happen quickly, or the engineer is looking at a log snapshot. The best answer is that the instance was removed after the second failure, but then re-added after the third check was healthy, so it is serving traffic again.

584
MCQmedium

A company has a requirement to store application logs for 7 years for compliance. They are using Cloud Logging. What is the most cost-effective way to retain logs?

A.Set the log bucket retention to 7 years
B.Export logs to Cloud Storage with Object Lifecycle management to delete after 7 years
C.Export logs to BigQuery and run scheduled queries to delete old data
D.Use Cloud Logging's default retention and rely on backups
AnswerB

Cloud Storage is cost-effective for long-term retention with lifecycle rules.

Why this answer

Cloud Logging's default retention is limited (e.g., 30 days for logs in the default _Default bucket, and up to 365 days for custom log buckets). To meet a 7-year compliance requirement cost-effectively, you should export logs to Cloud Storage and use Object Lifecycle Management to delete objects after 7 years. Cloud Storage offers lower long-term storage costs than retaining logs in Logging's _Required or custom buckets, and lifecycle rules automate deletion without ongoing compute costs.

Exam trap

The trap here is that candidates assume Cloud Logging's retention settings can be extended arbitrarily, but the exam tests knowledge that log buckets have a hard 365-day maximum (except _Required at 400 days), making export to Cloud Storage with lifecycle rules the only viable long-term, cost-effective solution.

How to eliminate wrong answers

Option A is wrong because Cloud Logging log buckets have a maximum retention period of 365 days (1 year) for custom buckets, and the _Required bucket retains logs for 400 days; you cannot set a retention of 7 years directly in a log bucket. Option C is wrong because BigQuery storage costs are significantly higher than Cloud Storage for long-term archival, and running scheduled queries to delete old data incurs additional query costs and complexity. Option D is wrong because Cloud Logging's default retention (e.g., 30 days for _Default, 400 days for _Required) does not meet the 7-year requirement, and backups are not a native retention mechanism for compliance.

585
MCQmedium

A company wants to implement an event-driven architecture where uploads to a Cloud Storage bucket trigger processing in a serverless function. The function must process each object within a few seconds and handle bursts of thousands of uploads. Which service should they use?

A.Google Kubernetes Engine
B.Cloud Run for Anthos
C.Compute Engine with autoscaling
D.Cloud Functions
AnswerD

Cloud Functions natively supports Cloud Storage triggers and auto-scales for bursts.

Why this answer

Cloud Functions can be triggered by Cloud Storage events (object finalize/create) and scales automatically to handle bursts. Cloud Run can also be triggered by events via Eventarc but is not directly triggered by Cloud Storage events. GKE and Compute Engine require more management and are not serverless.

586
MCQmedium

A company uses BigQuery for analytics and has a large number of ad-hoc queries from different teams. Costs are rising unpredictably. They want to control costs while maintaining query performance. What should they do?

A.Use partitioning and clustering to reduce data scanned.
B.Reduce the number of slots available to each team.
C.Require each team to include a cost code in their queries.
D.Purchase flat-rate slots and assign them to a reservation for each team.
AnswerD

Flat-rate provides predictable cost and performance isolation.

Why this answer

Option D is correct because purchasing flat-rate slots and assigning them to a reservation for each team provides predictable, fixed-cost capacity for BigQuery. This eliminates the unpredictability of on-demand pricing while allowing teams to share a dedicated pool of slots, ensuring consistent query performance without unexpected cost spikes.

Exam trap

Google Cloud often tests the misconception that performance optimization techniques (like partitioning/clustering) alone can control costs, when in fact they only reduce per-query data scanned but do not cap total spending under on-demand pricing.

How to eliminate wrong answers

Option A is wrong because partitioning and clustering reduce data scanned per query, which lowers on-demand costs, but they do not cap total spending or prevent cost spikes from high query volumes; costs remain unpredictable if usage surges. Option B is wrong because reducing the number of slots available to each team would degrade query performance and cause queuing, violating the requirement to maintain performance; slots are a resource, not a cost control mechanism. Option C is wrong because requiring a cost code in queries only adds metadata for tracking and chargeback, but does not control or cap the actual compute costs incurred; it provides visibility, not cost control.

587
MCQeasy

A company wants to connect their on-premises data center to Google Cloud with a dedicated, low-latency, and highly available connection. They need bandwidth of 10 Gbps. Which option should they choose?

A.Classic VPN
B.HA VPN over the public internet
C.Partner Cloud Interconnect
D.Dedicated Cloud Interconnect
AnswerD

Provides dedicated, high-bandwidth (10 Gbps), low-latency connections with SLA.

Why this answer

Dedicated Cloud Interconnect provides direct physical connections between on-premises and Google's network with speeds up to 100 Gbps per link. It offers high availability and low latency. HA VPN is over the public internet, Partner Interconnect depends on a partner, and Classic VPN is older.

588
Multi-Selecthard

A company wants to optimize their cloud spending on Google Cloud. They have a mix of workloads including batch processing, real-time analytics, and web serving. Which TWO strategies should they implement to reduce costs without significant architectural changes? (Choose two.)

Select 2 answers
A.Use sustained use discounts for short-lived instances.
B.Use preemptible VMs for batch processing jobs that are fault-tolerant.
C.Purchase committed use discounts for 1-year or 3-year terms for stable workloads.
D.Right-size all Compute Engine instances by analyzing utilization metrics.
E.Migrate all web serving workloads to Cloud Functions to benefit from pay-per-use pricing.
AnswersB, C

Preemptible VMs are cost-effective for fault-tolerant workloads.

Why this answer

Preemptible VMs are short-lived, fault-tolerant instances that cost significantly less than standard VMs, making them ideal for batch processing jobs that can handle interruptions. This strategy directly reduces compute costs without requiring architectural changes, as the workloads are already designed to be resilient to failures.

Exam trap

The trap here is that candidates often confuse sustained use discounts (which require long-running instances) with preemptible VMs (which are for short-lived, fault-tolerant workloads), or they assume right-sizing is a 'no-change' strategy when it typically involves instance type modifications that affect architecture.

589
MCQmedium

A company deploys a web application on Compute Engine behind a Global HTTPS Load Balancer. They need to restrict access to the application based on the client's IP address. Which Google Cloud service should they use?

A.VPC firewall rules
B.Identity-Aware Proxy (IAP)
C.Cloud Armor
D.Cloud CDN
AnswerC

Cloud Armor provides IP-based access control and DDoS protection for load balancers.

Why this answer

Cloud Armor is the correct choice because it provides IP-based access control at the edge of Google's network, integrated directly with the Global HTTPS Load Balancer. It allows you to create security policies with IP allow/deny rules that are evaluated before traffic reaches your Compute Engine instances, making it the appropriate service for client IP restriction at the load balancer level.

Exam trap

The trap here is that candidates often confuse VPC firewall rules with edge security, not realizing that VPC firewall rules cannot see the original client IP when a Global Load Balancer is in front, making Cloud Armor the only option for IP-based access control at the load balancer level.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules operate at the instance network interface level, not at the load balancer edge, and they cannot inspect the original client IP address when traffic passes through a Global HTTPS Load Balancer (the source IP becomes the load balancer's IP). Option B is wrong because Identity-Aware Proxy (IAP) controls access based on user identity and context (e.g., OAuth2, device security), not on client IP addresses; it is designed for authentication and authorization, not network-layer IP filtering. Option D is wrong because Cloud CDN is a content delivery network service that caches content at edge locations to improve latency and reduce load; it does not provide IP-based access control or security policy enforcement.

590
MCQeasy

A developer wants to run a stateless HTTP API that automatically scales based on incoming request traffic. The API is packaged as a Docker container. They want to minimize operational overhead and only pay for resources when the API is handling requests. Which service should they use?

A.App Engine Standard
B.Google Kubernetes Engine (GKE) Autopilot
C.Compute Engine with managed instance groups
D.Cloud Run
AnswerD

Cloud Run fully manages scaling and billing per request, ideal for stateless containers.

Why this answer

Cloud Run is a fully managed serverless container platform that automatically scales, including scaling to zero, and bills per request. GKE requires cluster management. Compute Engine requires VM management.

App Engine Standard does not support custom containers.

591
MCQmedium

After deploying the above configuration, the application is not receiving traffic from the Kubernetes Service. The Service is correctly configured to target port 8080. What is the most likely issue?

A.The initialDelaySeconds for readiness probe is too short; increase it.
B.The port name is not defined; add a name to the container port.
C.The readiness probe is using HTTP but the container may not be ready on that path; change to TCP.
D.The image pull policy is not set to Always; new pods may use stale image.
E.The liveness probe uses tcpSocket; it should be HTTPGet.
AnswerC

If /healthz is not served, the probe fails and pod is not ready.

Why this answer

Option C is correct because the readiness probe is configured as an HTTP GET request, but the application container may not be serving traffic on the specified HTTP path at startup. If the application listens on a TCP port but does not respond to HTTP GET on that path, the readiness probe will fail, causing the Service to not route traffic to the Pod. Changing the readiness probe to a TCP socket check ensures the probe only verifies that the port is open, which is more reliable when the application does not expose an HTTP endpoint for health checks.

Exam trap

Google Cloud often tests the distinction between readiness and liveness probes, and the trap here is that candidates confuse a failing readiness probe with a liveness probe issue, or assume that any HTTP probe is better than TCP without considering the application's actual behavior.

How to eliminate wrong answers

Option A is wrong because the initialDelaySeconds for the readiness probe being too short would cause the probe to start too early, potentially failing temporarily, but the application would eventually become ready; the issue described is that the application never receives traffic, indicating a persistent probe failure, not a timing issue. Option B is wrong because the port name is optional for Service targeting; the Service correctly targets port 8080 by number, so a missing port name does not prevent traffic routing. Option D is wrong because the image pull policy not being set to Always does not affect traffic routing; it only controls when the image is pulled, and stale images would still run and serve traffic if the container starts.

Option E is wrong because the liveness probe using tcpSocket is valid and does not affect traffic routing; the liveness probe is for restarting the container, not for Service traffic distribution.

592
MCQmedium

Which traffic will this rule allow?

A.Outbound TCP traffic on ports 80 and 443 from instances with tag 'web-server' to IP ranges
B.Inbound TCP traffic on ports 80 and 443 from IP ranges to all instances
C.Inbound TCP traffic on ports 80 and 443 from any IP address to instances with tag 'web-server'
D.Inbound TCP traffic on ports 80 and 443 from IP ranges to instances with tag 'web-server'
AnswerD

Matches the rule definition exactly.

Why this answer

The rule allows inbound TCP on ports 80 and 443 from the specified IP ranges to instances tagged 'web-server'. It does not apply to all instances and is not outbound.

593
Multi-Selecteasy

An engineer needs to troubleshoot a production issue on a Compute Engine instance. They suspect the instance is running out of memory. Which THREE actions should they take to diagnose the problem? (Choose THREE.)

Select 3 answers
A.SSH into the instance and run 'free -m' to check memory usage
B.Check Cloud Logging for OOM (out-of-memory) kernel messages
C.Increase the instance's memory by changing the machine type
D.Create a snapshot of the boot disk
E.View the instance's memory utilization metric in Cloud Monitoring
AnswersA, B, E

Running commands directly on the instance gives real-time memory usage.

Why this answer

Common troubleshooting involves checking instance metrics (Cloud Monitoring), analyzing logs (Cloud Logging), and connecting to the instance to run commands.

594
MCQmedium

A company runs a web application on Compute Engine behind a Global HTTPS Load Balancer. Users report slow page loads, especially for static assets. The development team wants to cache content closer to users without modifying code. Which GCP service should they enable?

A.Cloud CDN
B.Cloud NAT
C.Cloud Armor
D.Cloud DNS
AnswerA

Cloud CDN caches static and dynamic content at Google's edge locations, reducing latency by serving content from a PoP near the user.

Why this answer

Cloud CDN uses Google's global edge cache to deliver content close to users. It can be enabled on the load balancer backend buckets (for Cloud Storage) or backend services (for Compute Engine). Cloud Armor is for security, Cloud DNS for domain resolution, and Cloud NAT for outbound connectivity.

595
MCQmedium

A company uses preemptible VMs for batch processing. They notice that during peak hours, many instances are terminated before finishing their tasks. The operations team observes the output shown in the exhibit. Which action would best improve job completion rates without significantly increasing costs?

A.Increase the number of instances to compensate for terminations
B.Use sole-tenant nodes for these instances
C.Use instance groups with a mix of preemptible and regular VMs
D.Use committed use discounts for 1 year
E.Switch to regular VMs for critical jobs
AnswerC

Combines cost savings of preemptible with reliability of regular VMs.

Why this answer

Option C is correct because using a mixed instance group with both preemptible and regular VMs allows the batch processing job to continue on regular VMs when preemptible VMs are terminated during peak hours. This balances cost and reliability: preemptible VMs handle most of the workload at low cost, while regular VMs act as a fallback to ensure job completion without the full expense of switching entirely to regular VMs.

Exam trap

Google Cloud often tests the misconception that simply adding more preemptible VMs or switching entirely to regular VMs is the solution, but the correct answer requires a hybrid approach that balances cost and reliability using instance groups with a mix of VM types.

How to eliminate wrong answers

Option A is wrong because simply increasing the number of preemptible instances does not address the root cause of terminations during peak hours; it only increases the likelihood of more terminations and may lead to higher costs from repeated restarts. Option B is wrong because sole-tenant nodes provide dedicated hardware but do not prevent preemption; they are used for compliance or licensing, not for improving job completion rates of preemptible VMs. Option D is wrong because committed use discounts require a 1-year commitment and apply to regular VMs, not preemptible VMs, so they would increase costs without solving the termination issue.

Option E is wrong because switching all critical jobs to regular VMs would significantly increase costs, as regular VMs are more expensive than preemptible VMs, and the question asks for an improvement without significantly increasing costs.

596
MCQmedium

A DevOps engineer needs to grant a CI/CD pipeline (running in a different Google Cloud project) the ability to deploy resources into a target project. The pipeline uses a service account. What is the best way to grant this access?

A.Use VPC peering to allow cross-project access.
B.Use Cloud NAT to enable communication.
C.Add the service account email as a member of the target project with appropriate roles.
D.Create a new service account in the target project and share the key with the pipeline.
AnswerC

Why this answer

IAM allows granting roles to a service account principal from another project by specifying the full email of the service account as a member.

597
Multi-Selectmedium

A company runs a latency-sensitive web application on Compute Engine with a managed instance group (MIG) behind an HTTP load balancer. They want to reduce latency for users in Europe and Asia. Which THREE actions should they take?

Select 3 answers
A.Use a regional external load balancer for each region
B.Enable Cloud CDN to cache static content
C.Use a global external HTTP(S) Load Balancer
D.Use preemptible VMs to reduce costs in non-primary regions
E.Deploy managed instance groups in multiple regions (e.g., europe-west1, asia-east1)
AnswersB, C, E

CDN caches content at edge locations, reducing latency for repeated requests.

Why this answer

Creating MIGs in multiple regions and using a global HTTP Load Balancer distributes traffic to the closest region. Cloud CDN caches static content at edge locations, reducing latency. Enabling auto-scaling ensures there are enough instances to handle traffic.

Using a single regional load balancer would not serve multiple regions efficiently. Preemptible VMs are not suitable for latency-sensitive workloads.

598
MCQeasy

A company wants to restrict data exfiltration from its Google Cloud projects by preventing resources from copying data to external IP addresses. Which service should they use?

A.HTTPS Load Balancer
B.VPC Service Controls
C.Cloud Armor
D.Cloud NAT
AnswerB

VPC Service Controls create a security perimeter around resources to prevent data exfiltration.

Why this answer

VPC Service Controls provide a security perimeter to reduce data exfiltration risk. Option A is wrong because Cloud Armor is for DDoS/ WAF protection. Option B is wrong because Cloud NAT allows outbound connectivity, not restriction.

Option D is wrong because HTTPS load balancers do not prevent data exfiltration.

599
Multi-Selectmedium

A company is deploying a microservices application on Google Kubernetes Engine (GKE). They want to ensure that the cluster can automatically scale based on custom metrics, such as the number of pending requests per pod. Which two steps should they take? (Choose TWO)

Select 2 answers
A.Deploy the Metrics Server in the cluster to expose custom metrics via the Custom Metrics API.
B.Modify the application to expose custom metrics via an endpoint and configure the HPA to reference the custom metric.
C.Enable the Cloud Monitoring API and create a custom dashboard to track pending requests.
D.Configure a HorizontalPodAutoscaler (HPA) with the target average CPU utilization set to 80%.
E.Enable GKE Autopilot mode to automatically manage scaling based on custom metrics.
AnswersA, B

The Metrics Server provides the Custom Metrics API, enabling HPA to use custom metrics.

Why this answer

Option A is correct because the Metrics Server is required to expose custom metrics via the Custom Metrics API in GKE. Without it, the HorizontalPodAutoscaler (HPA) cannot retrieve the custom metrics needed for scaling decisions. Option B is correct because the application must expose custom metrics (e.g., pending requests) through an endpoint, and the HPA must be configured to reference that custom metric name to trigger scaling based on that specific value.

Exam trap

The trap here is confusing the Metrics Server (which exposes resource metrics) with the need for a custom metrics adapter; candidates often think the Metrics Server alone handles custom metrics, but it only serves CPU/memory, not application-level custom metrics like pending requests.

600
MCQmedium

A company wants to encrypt data at rest in Cloud Storage using a key that they generate and manage themselves, not stored in Google Cloud. Which encryption type should they use?

A.Default encryption
B.Cloud HSM
C.CSEK
D.CMEK with Cloud KMS
AnswerC

Why this answer

CSEK (Customer-Supplied Encryption Keys) allows customers to provide their own encryption keys for Cloud Storage objects, which are used and then discarded by GCP.

Page 7

Page 8 of 14

Page 9