Google Professional Cloud Architect (PCA) — Questions 601675

1000 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQmedium

A company wants to allow developers to create service accounts in a project but prevent them from granting the 'roles/iam.serviceAccountUser' role to any user. Which organization policy constraint should they set?

A.Set the constraint 'iam.restrictGrantableRoles' to ['roles/iam.serviceAccountUser'].
B.Set the constraint 'iam.allowedPolicyMemberDomains' to include only the company's domain.
C.Set the constraint 'iam.disableServiceAccountKeyCreation' to True.
D.Set the constraint 'iam.workloadIdentityPoolProviders' to deny all.
AnswerA

This constraint prevents granting the specified role, even if the user has permission to grant roles.

Why this answer

Option A is correct because 'iam.disableServiceAccountKeyCreation' disables service account key creation, not role granting. Option B is correct because 'iam.allowedPolicyMemberDomains' restricts which domains can be granted roles. Actually the correct constraint to prevent granting roles is 'iam.restrictGrantableRoles'.

Wait, let's think: The question asks to prevent developers from granting a specific role. The correct constraint is 'iam.restrictGrantableRoles' which allows you to restrict the roles that can be granted. Option B is about domains.

Option D is about denying usage of service account impersonation? Actually, the correct answer is 'Workload Identity pools' not a constraint. The correct constraint is 'iam.restrictGrantableRoles'. So I need to pick the right one.

Let's correct: Option A: iam.disableServiceAccountKeyCreation - that prevents creating keys, not granting roles. Option B: iam.allowedPolicyMemberDomains - limits which domains can be members. Option C: iam.restrictGrantableRoles - limits which roles can be granted.

Option D: iam.workloadIdentityPoolProviders - for workload identity. So the correct is Option C. I need to adjust the JSON accordingly.

Actually in the JSON below I had a mistake. I'll correct now.

602
MCQhard

A company is using Cloud Armor with HTTP Load Balancing to protect a web application. They want to block traffic from specific IP ranges for all requests except those that include a valid reCAPTCHA token. Which Cloud Armor rule configuration should they use?

A.Use a rate-based rule to limit requests from those IP ranges and add a reCAPTCHA action.
B.Create a whitelist rule for the IP ranges and attach it as a deny rule with higher priority.
C.Create a deny rule for the IP ranges with a condition that the request does not contain a valid reCAPTCHA token.
D.Use Identity-Aware Proxy (IAP) to block the IPs and reCAPTCHA for others.
AnswerC

Deny unless token present; token evaluation via Cloud Armor rules.

Why this answer

Option C is correct because Cloud Armor security rules support boolean conditions using operators like `request.path` or custom headers. By creating a deny rule for the specific IP ranges with a condition that the request does not contain a valid reCAPTCHA token (evaluated via the `hasRecaptchaToken()` function), you allow traffic from those IPs only when the token is present. This directly implements the requirement without affecting other traffic.

Exam trap

The trap here is confusing Cloud Armor's rule-based conditional logic with rate limiting or identity-based access controls, leading candidates to choose rate-based rules (A) or IAP (D) instead of recognizing that a deny rule with a condition on reCAPTCHA token presence directly solves the requirement.

How to eliminate wrong answers

Option A is wrong because rate-based rules limit request frequency, not block IP ranges based on reCAPTCHA presence; they would still allow some requests without a token. Option B is wrong because a whitelist rule allows traffic by default, and attaching it as a deny rule with higher priority contradicts the whitelist concept; Cloud Armor evaluates rules by priority, and a deny rule for those IPs would block all traffic regardless of reCAPTCHA. Option D is wrong because IAP is an identity and access management layer for authentication, not a network-level IP blocking mechanism; it cannot conditionally block IPs based on reCAPTCHA tokens.

603
Multi-Selecteasy

A company is designing a data processing pipeline in Google Cloud that must be HIPAA compliant. Which three security features should they implement? (Choose three.)

Select 3 answers
A.Encrypt data in transit using TLS
B.Enable Data Loss Prevention (DLP) for data classification
C.Use Cloud CDN for faster delivery
D.Implement VPC Service Controls to prevent data exfiltration
E.Use Cloud HSM for encryption keys
AnswersA, D, E

Required by HIPAA for data in transit.

Why this answer

HIPAA requires encryption of data in transit and at rest. Using Cloud HSM for CMEK provides strong encryption at rest. VPC Service Controls help restrict data access.

DLP is useful for identifying PHI but not mandatory; CDN is not a security feature.

604
MCQmedium

A company stores infrequently accessed data in Cloud Storage Standard class. To reduce costs, they want to automatically move objects older than 90 days to a lower-cost storage class. Which approach should they use?

A.Configure a lifecycle policy to transition to Archive class
B.Use gsutil rewrite to manually change storage class
C.Set up Pub/Sub notifications for object changes
D.Enable object versioning
AnswerA

Lifecycle policies automatically move objects to lower-cost classes based on rules.

Why this answer

Cloud Storage lifecycle policies allow automatic transitions between storage classes based on conditions like age. Setting a rule to transition from Standard to Nearline, Coldline, or Archive after 90 days is the correct approach. Object versioning keeps multiple versions but doesn't change class.

Pub/Sub notifications notify events but don't act. gsutil rewrite can be scripted but is manual.

605
MCQhard

A company uses Assured Workloads to meet FedRAMP compliance. They need to ensure that only authorized personnel can access data access audit logs for their projects. Which IAM role should they grant to the security team?

A.roles/logging.privateLogViewer
B.roles/logging.viewer
C.roles/iam.securityReviewer
D.roles/logging.admin
AnswerA

This role grants read access to Data Access audit logs and Admin Activity logs, which is the minimum required.

Why this answer

Data Access audit logs require the 'roles/logging.privateLogViewer' role (or equivalent) to view. Admin Activity logs are visible with 'roles/logging.viewer' or higher.

606
MCQeasy

A company is migrating a legacy monolithic application to Google Cloud. The application currently runs on a single on-premises server and uses a local MySQL database. The company wants to minimize changes to the application code while improving scalability and reliability. Which migration strategy should the architect recommend?

A.Refactor the application into microservices and deploy on Google Kubernetes Engine.
B.Rehost the application on Compute Engine and use Cloud SQL for MySQL as the database.
C.Containerize the application with Docker and run it on Cloud Run.
D.Migrate the database to Firestore and rewrite the application to use Firestore APIs.
AnswerB

Rehosting on Compute Engine with Cloud SQL minimizes changes and improves scalability and reliability.

Why this answer

Option B is correct because rehosting (lift-and-shift) the monolithic application to Compute Engine with Cloud SQL for MySQL minimizes code changes while improving scalability and reliability. Cloud SQL provides managed MySQL with automated backups, replication, and failover, addressing the need for reliability without requiring application refactoring.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing containerization or microservices, forgetting that the primary constraint is minimizing code changes, not modernizing the architecture.

How to eliminate wrong answers

Option A is wrong because refactoring into microservices and deploying on GKE introduces significant code changes and complexity, contradicting the requirement to minimize changes. Option C is wrong because containerizing with Docker and running on Cloud Run requires the application to be stateless and HTTP-driven, which a legacy monolithic app with a local MySQL database typically is not; Cloud Run also does not support stateful workloads or persistent MySQL connections natively. Option D is wrong because migrating to Firestore and rewriting the application to use Firestore APIs requires substantial code changes and a shift from SQL to NoSQL, violating the minimize-changes constraint.

607
MCQhard

An organization wants to enforce that all Compute Engine VMs are created with specific disk encryption keys. Which policy mechanism should they use?

A.Organization policies with constraints/compute.restrictDiskEncryptionKeyTypes
B.IAM roles with compute.diskEncryptionKey permissions
C.VPC Service Controls
D.Cloud Scheduler to check compliance
AnswerA

Enforces allowed encryption key types at the org level.

Why this answer

Option A is correct because the Organization Policy constraint `constraints/compute.restrictDiskEncryptionKeyTypes` allows administrators to enforce that all Compute Engine VMs must use specific disk encryption key types (e.g., CMEK or CSEK). This policy is evaluated at resource creation time and blocks any VM that does not comply with the allowed key types, providing a preventive control rather than a reactive one.

Exam trap

The trap here is confusing IAM permissions (who can do something) with Organization Policy constraints (what is allowed to be done), leading candidates to choose IAM roles instead of the correct policy mechanism.

How to eliminate wrong answers

Option B is wrong because IAM roles with `compute.diskEncryptionKey` permissions control who can set or view encryption keys, but they do not enforce which key types must be used on VMs; IAM is an authorization mechanism, not a policy enforcement mechanism. Option C is wrong because VPC Service Controls are designed to protect data exfiltration by controlling access to Google Cloud APIs from outside a VPC perimeter, not to enforce disk encryption key types on Compute Engine VMs. Option D is wrong because Cloud Scheduler is a cron-like job scheduler that can trigger compliance checks, but it is a reactive, after-the-fact mechanism and cannot prevent non-compliant VM creation in real time.

608
Multi-Selecthard

A financial services company must meet PCI DSS compliance requirements for a Google Kubernetes Engine (GKE) cluster processing credit card data. Which TWO actions are required to help achieve PCI DSS compliance? (Choose two.)

Select 2 answers
A.Enable GKE Dataplane V2 for network policy enforcement.
B.Enable Shielded GKE nodes.
C.Configure Cloud Audit Logs for the cluster.
D.Use GKE Sandbox for all untrusted workloads.
E.Enable Binary Authorization on the cluster.
AnswersB, E

Shielded nodes provide verifiable integrity of the node's boot and kernel, a PCI DSS requirement.

Why this answer

Options B and D are correct. Binary Authorization ensures only signed container images are deployed, meeting code integrity requirements. Shielded GKE nodes provide verifiable integrity of the node's boot and kernel, ensuring the underlying infrastructure is secure.

Option A is wrong because GKE Dataplane V2 is a network policy enforcement mechanism but not a specific PCI DSS requirement. Option C is wrong because GKE Sandbox is for workload isolation but not explicitly required by PCI DSS. Option E is wrong because Cloud Audit Logs are already enabled by default and not an additional requirement.

609
MCQhard

An organization uses Cloud SQL for MySQL in a production environment. They need to ensure high availability with automatic failover in case of a zonal failure. Which configuration should they use?

A.Create a read replica in a different region.
B.Create a regional Cloud SQL instance with automatic failover.
C.Export the database daily and import into a new instance if failure occurs.
D.Deploy Cloud SQL across multiple regions using cross-region replication.
AnswerB

Regional instances provide a synchronous standby in another zone and automatic failover.

Why this answer

A regional Cloud SQL instance with automatic failover uses a primary and a standby zone within the same region, with synchronous replication between them. If the primary zone fails, Cloud SQL automatically promotes the standby to primary, ensuring high availability without data loss. This configuration meets the requirement for automatic failover during a zonal failure.

Exam trap

The trap here is that candidates confuse cross-region replication (available for other database engines) with the zonal high-availability feature for Cloud SQL for MySQL, or assume that a read replica can be used for automatic failover when it requires manual promotion.

How to eliminate wrong answers

Option A is wrong because a read replica in a different region provides read scalability and disaster recovery across regions, but it does not support automatic failover for the primary instance; failover would require manual promotion, which is not automatic. Option C is wrong because daily exports and manual imports are a backup and restore strategy, not a high-availability solution; it introduces significant downtime and potential data loss, failing the automatic failover requirement. Option D is wrong because Cloud SQL for MySQL does not support cross-region replication for automatic failover; cross-region replication is available for Cloud SQL for PostgreSQL and SQL Server, but for MySQL, it is limited to read replicas, which do not provide automatic failover.

610
MCQmedium

A company wants to enforce that all API calls to GCP services from outside their corporate network come through a specific Cloud VPN tunnel. Which GCP service can enforce this policy?

A.VPC Service Controls
B.Cloud NAT
C.Identity-Aware Proxy
D.Cloud Armor
AnswerA

VPC Service Controls can use access levels to restrict API access to specific IP ranges, such as the VPN tunnel's egress IP.

Why this answer

VPC Service Controls with access levels can restrict access based on IP address ranges, including the VPN tunnel's egress IP.

611
Multi-Selectmedium

A team is designing a disaster recovery plan for a critical application. They need to ensure RPO of less than 1 hour and RTO of less than 4 hours. The application runs on Compute Engine with persistent disks and uses Cloud SQL for MySQL. Which THREE actions should they take? (Choose 3.)

Select 3 answers
A.Deploy a Transfer Appliance to copy data to another region weekly
B.Use a regional managed instance group and rely on Google's automatic failover
C.Store application configuration and scripts in a multi-regional Cloud Storage bucket
D.Configure Cloud SQL cross-region replication to a replica in another region
E.Take regular snapshots of Compute Engine persistent disks and replicate them to another region using Cloud Storage
AnswersC, D, E

A multi-regional bucket ensures configuration is available globally and can be used to bootstrap instances in the DR region.

Why this answer

For Compute Engine, taking regular snapshots and creating instances from them in another region meets RPO/RTO. For Cloud SQL, enabling cross-region replication (asynchronous) provides failover capability. Using a single regional managed instance group does not provide DR across regions.

Transfer Appliance is for bulk data migration, not DR. A multi-region bucket is for storage but not directly for Compute Engine instances.

612
MCQmedium

A company is migrating an on-premises PostgreSQL database to Cloud SQL with minimal downtime. The database is 1 TB and the network link has 500 Mbps bandwidth. Which migration approach is most appropriate?

A.Set up a Compute Engine instance with PostgreSQL replication and switch over.
B.Use BigQuery Data Transfer Service to replicate data.
C.Export the database as a SQL dump, transfer it to Cloud Storage, and import into Cloud SQL.
D.Use Database Migration Service to perform continuous replication and then promote Cloud SQL.
AnswerD

Database Migration Service supports continuous replication from on-premises to Cloud SQL with minimal downtime.

Why this answer

Database Migration Service (DMS) supports continuous replication from on-premises PostgreSQL to Cloud SQL using native PostgreSQL logical replication (pglogical or native publication/slot). This allows near-zero downtime by keeping the target in sync until promotion, which is ideal for a 1 TB database over a 500 Mbps link where a full dump/restore would take hours.

Exam trap

Google Cloud often tests the misconception that a simple dump-and-import (Option C) is acceptable for large databases, but the trap here is ignoring the 'minimal downtime' requirement, which demands a continuous replication solution like DMS rather than a batch export/import.

How to eliminate wrong answers

Option A is wrong because setting up a Compute Engine instance with PostgreSQL replication requires manual configuration of replication slots, failover scripts, and does not integrate with Cloud SQL's managed service, adding operational overhead and risk. Option B is wrong because BigQuery Data Transfer Service is designed for loading data into BigQuery, not for replicating PostgreSQL databases to Cloud SQL; it cannot perform continuous replication or handle transactional consistency. Option C is wrong because exporting a 1 TB database as a SQL dump and transferring it over a 500 Mbps link would take approximately 4.5 hours (1 TB * 8 / 500 Mbps) plus import time, causing significant downtime, and it does not support continuous replication for minimal downtime.

613
Multi-Selecthard

A company wants to deploy a stateful application with strict low-latency requirements across multiple zones in a single region. They need to minimize inter-zone latency. Which THREE actions should they take? (Choose 3)

Select 3 answers
A.Place application instances in the same zone to minimize network hops
B.Use zonal SSD persistent disks
C.Deploy instances in a managed instance group across multiple zones
D.Use a regional internal TCP/UDP load balancer
E.Use Dedicated Interconnect for on-premises connection
AnswersA, B, D

Same zone reduces latency.

Why this answer

Option A is correct because placing all application instances in the same zone eliminates cross-zone network hops, which directly reduces inter-zone latency to near zero. For a stateful application with strict low-latency requirements, this co-location ensures that traffic between instances stays within a single failure domain, avoiding the additional latency introduced by traversing zone boundaries.

Exam trap

The trap here is that candidates often assume multi-zone deployment is always required for high availability, but the question explicitly prioritizes minimizing inter-zone latency, making same-zone placement the correct choice despite the trade-off in fault tolerance.

614
MCQhard

A team runs a Cloud Spanner instance with a regional configuration. They need to increase write throughput for a global user base but are concerned about cost. What should they do?

A.Add more nodes to the instance
B.Use global indexes
C.Migrate to Cloud Firestore in Datastore mode
D.Switch to a multi-region configuration
AnswerA

Adding nodes increases both read and write throughput linearly.

Why this answer

Adding nodes increases throughput and cost proportionally. Switching to multi-region increases latency for writes (due to synchronous replication) and cost. Using global indexes won't increase baseline write throughput.

Recommending to use Firestore is not correct for this scenario.

615
MCQeasy

A company runs a batch job every night that processes large CSV files stored in Cloud Storage. The job runs on a single Compute Engine VM and takes 4 hours to complete. The team wants to reduce execution time without increasing cost substantially. The job is CPU-intensive and can be parallelized. What should they do?

A.Migrate the job to Dataproc and run it as a Spark job.
B.Use Cloud Batch to run the job as a batch job that automatically scales.
C.Use a VM with more vCPUs and a higher CPU platform.
D.Split the input files into smaller chunks and use multiple VMs in a managed instance group with a job scheduler.
AnswerD

Parallelizing across multiple VMs reduces execution time with linear cost increase.

Why this answer

Option B is correct: splitting input files and using multiple VMs in a managed instance group leverages parallelism effectively. Option A (bigger VM) increases cost. Option C (Cloud Batch) still requires parallelization design.

Option D (Dataproc) may introduce overhead and cost.

616
MCQhard

A company uses GKE Standard with node pools of preemptible VMs for batch jobs. They notice that during preemption events, pods take several minutes to become ready on new nodes because container images are large. They need to reduce startup time. Which approach is most effective?

A.Switch to GKE Autopilot.
B.Increase the size of the node pool.
C.Configure a DaemonSet to pre-pull the container image on all nodes.
D.Use a stateful set with persistent volumes to reuse data.
AnswerC

Pre-pulling ensures images are cached, significantly reducing startup time.

Why this answer

GKE with node auto-provisioning and a node pool of preemptible VMs using a daemonset to pre-pull images on all nodes ensures images are cached locally, reducing startup time after preemption.

617
Multi-Selecthard

Which THREE factors should be considered when selecting a machine series for a Compute Engine instance running a memory-intensive batch job?

Select 3 answers
A.Network throughput.
B.Sustained use discount.
C.GPU availability.
D.Memory per vCPU ratio.
E.vCPU count.
AnswersA, D, E

Batch jobs often involve data transfer; higher throughput reduces time.

Why this answer

Network throughput (A) is a critical factor for a memory-intensive batch job because such jobs often involve reading or writing large datasets from persistent storage or other sources over the network. The instance series must provide sufficient network bandwidth to avoid I/O bottlenecks that could extend job completion time, even if the compute and memory resources are adequate.

Exam trap

Google Cloud often tests the distinction between factors that influence technical workload performance (like network throughput and memory ratio) versus cost-saving mechanisms (like sustained use discounts) that are applied automatically and do not affect the suitability of a machine series.

618
Multi-Selectmedium

A company wants to connect their on-premises network to Google Cloud with high availability and bandwidth up to 10 Gbps. They need a dedicated connection with a Service Level Agreement (SLA). Which TWO options should they consider? (Choose TWO.)

Select 2 answers
A.Cloud Dedicated Interconnect
B.Classic VPN
C.Cloud CDN
D.Cloud Partner Interconnect
E.HA VPN
AnswersA, D

Dedicated Interconnect provides direct physical connection with up to 10 Gbps per circuit and SLA.

Why this answer

Cloud Interconnect provides dedicated connections with an SLA. Dedicated Interconnect offers 10 Gbps or more and is a physical connection. Partner Interconnect also provides dedicated bandwidth through a partner, but Classic VPN and HA VPN are over the internet and do not have a bandwidth SLA or dedicated connection.

619
MCQmedium

A company uses Cloud Storage for backups of on-premises databases. They want to ensure that data is protected against accidental deletion or modification by users. Which combination of features should they enable?

A.Object versioning and lifecycle management to delete old versions.
B.Bucket locking with retention policy and bucket-level IAM restrictions.
C.Bucket locking with retention policy and object holds.
D.Object versioning and bucket locking with retention policy.
E.Object versioning and IAM conditions restricting access to specific IP ranges.
AnswerD

Versioning preserves overwrites; retention policy prevents deletion.

Why this answer

Option D is correct because object versioning protects against accidental deletion or modification by preserving all versions of an object, while a bucket lock with a retention policy enforces a minimum retention period, preventing premature deletion or alteration. Together, they provide both recoverability and immutable compliance, which is essential for backup data integrity.

Exam trap

Google Cloud often tests the misconception that object holds alone provide sufficient immutability, but they are per-object and temporary, whereas a bucket lock with a retention policy provides a bucket-wide, locked-in immutable period that cannot be bypassed even by the bucket owner.

How to eliminate wrong answers

Option A is wrong because lifecycle management to delete old versions actively removes data, which contradicts the goal of protecting against accidental deletion. Option B is wrong because bucket-level IAM restrictions alone do not prevent a user with sufficient permissions from deleting or modifying objects; they lack the versioning-based recovery mechanism. Option C is wrong because object holds are temporary and must be manually applied per object, making them impractical for broad backup protection and not providing the automatic version history that versioning offers.

Option E is wrong because IAM conditions restricting access to specific IP ranges only control network-level access, not the ability to delete or modify objects once accessed, and they do not provide any data recovery or immutability features.

620
Multi-Selectmedium

A company is using Cloud NAT to allow instances in a private subnet to access the internet for updates. The security team wants to audit outbound connections. Which TWO steps should be taken to enable flow logs for Cloud NAT?

Select 2 answers
A.Enable private Google access on the subnet
B.Configure a log sink to export Cloud NAT logs to BigQuery
C.Enable VPC Flow Logs on the subnet
D.Create a new Cloud NAT gateway with logging enabled
E.Update the existing Cloud NAT gateway to enable flow logs
AnswersB, E

Exporting to BigQuery enables analysis and auditing of the flow logs.

Why this answer

Cloud NAT flow logs provide detailed records of outbound connections and are enabled directly on the Cloud NAT gateway itself. Option B is correct because configuring a log sink to export Cloud NAT logs to BigQuery is a valid step to audit outbound connections, but the primary step to enable logging is to update the existing Cloud NAT gateway to enable flow logs (Option E). Together, these two steps (B and E) allow you to capture and analyze outbound traffic for auditing.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs with Cloud NAT flow logs, thinking that enabling VPC Flow Logs on the subnet will capture NAT traffic, but Cloud NAT flow logs are a distinct feature that must be enabled specifically on the NAT gateway itself.

621
MCQeasy

A developer needs to grant public read access to all objects in a Cloud Storage bucket named 'my-public-assets'. What is the simplest way to achieve this?

A.Set a bucket policy that allows allUsers to read objects.
B.Grant storage.objectViewer to AllUsers on the bucket without enabling uniform bucket-level access.
C.Enable uniform bucket-level access and grant storage.objectViewer to AllUsers.
D.Set an ACL on each object to allow public read.
AnswerC

This is the recommended approach for public buckets.

Why this answer

Option C is correct: AllUsers with storage.objectViewer on the bucket grants public read access to all objects. Option A requires setting ACLs per object. Option B is for uniform bucket-level access but that would require an additional step.

Option D is wrong; bucket policy only is not sufficient without AllUsers.

622
MCQhard

A financial services company uses Cloud SQL for MySQL for a critical application. They need zero downtime during maintenance and automatic failover across zones. They configured a Cloud SQL instance with high availability (HA). During a recent regional outage, the application experienced 10 minutes of downtime. What should they add to improve availability?

A.Configure a warm standby instance in another region using migration.
B.Create a cross-region replica and promote on failure.
C.Use Cloud SQL Proxy with multiple endpoints.
D.Enable database flags for faster failover detection.
AnswerB

Cross-region replica can be promoted to a new primary to handle regional failures.

Why this answer

Option B is correct because a cross-region replica provides a read-replica in a different region that can be promoted to a primary instance during a regional outage, enabling recovery with minimal downtime. This addresses the scenario where a single-region HA configuration (which uses zonal redundancy within the same region) cannot survive a full regional outage, as occurred in the question. Promoting the replica is a manual or automated failover action that restores write capability in the secondary region, reducing downtime from 10 minutes to seconds or minutes depending on replication lag.

Exam trap

The trap here is that candidates assume HA (zonal redundancy) protects against all outages, but the PCA exam tests understanding that HA is regional and cannot survive a full regional failure, requiring cross-region replicas for disaster recovery.

How to eliminate wrong answers

Option A is wrong because configuring a warm standby instance via migration implies a manual, non-automated process that does not provide automatic failover; it also requires additional setup and does not leverage Cloud SQL's built-in cross-region replica feature for seamless promotion. Option C is wrong because Cloud SQL Proxy is a tool for secure connectivity and connection pooling, not for failover or regional redundancy; multiple endpoints do not enable automatic failover across zones or regions. Option D is wrong because database flags for faster failover detection (e.g., innodb_flush_log_at_trx_commit) can improve performance but do not address regional outages; HA failover within a zone is already fast, but the issue is the entire region being unavailable.

623
MCQmedium

A developer wants to deploy a Cloud Function that is triggered whenever a new object is created in a Cloud Storage bucket. Which trigger type should they choose?

A.Firestore trigger
B.Cloud Storage trigger
C.Pub/Sub trigger
D.HTTP trigger
AnswerB

Cloud Storage triggers allow functions to respond to object lifecycle events like finalize/create.

Why this answer

Cloud Functions can be triggered by Cloud Storage events such as google.storage.object.finalize (object creation). HTTP triggers are for HTTP requests. Pub/Sub triggers for messages.

Firestore triggers for document changes.

624
Multi-Selectmedium

Which TWO services can be used to create a CI/CD pipeline for a containerized application on Google Cloud? (Choose 2)

Select 2 answers
A.Cloud Deploy
B.Cloud Functions
C.Cloud Build
D.Cloud Scheduler
E.Cloud Run
AnswersA, C

CD component.

Why this answer

Cloud Build builds and tests, and Cloud Deploy promotes releases. Both are essential for CI/CD.

625
MCQeasy

An engineer needs to list all Compute Engine instances in a project using the command line. Which gcloud command should they use?

A.gcloud compute instances describe
B.gcloud compute instances list
C.gcloud compute instance-groups list
D.gcloud compute machine-types list
AnswerB

This is the correct command to list all instances.

Why this answer

The correct command to list Compute Engine instances is 'gcloud compute instances list'. The other options are incorrect: 'gcloud compute machine-types list' lists machine types, 'gcloud compute instance-groups list' lists instance groups, and 'gcloud compute instances describe' describes a specific instance.

626
MCQeasy

A development team wants to automate the process of building container images from their GitHub repository and storing them in Artifact Registry. Which Google Cloud service should they use to create a build trigger that runs on every push to the main branch?

A.Container Registry
B.Cloud Build
C.Artifact Registry
D.Cloud Deploy
AnswerB

Correct. Build triggers in Cloud Build can watch a repository branch and run a build automatically.

Why this answer

Cloud Build is the CI/CD service that can be configured with build triggers to automatically build images on source code changes and push them to Artifact Registry.

627
Multi-Selectmedium

A company is planning to migrate a large on-premises Oracle database (10 TB) to Cloud SQL for PostgreSQL. They need to minimise downtime and ensure data integrity. Which TWO services or tools should they use? (Choose TWO.)

Select 2 answers
A.Migrate for Compute Engine
B.Cloud Dataflow
C.Cloud Scheduler
D.Database Migration Service (DMS)
E.Cloud SQL Auth Proxy
AnswersD, E

DMS can perform continuous migration from Oracle to Cloud SQL for PostgreSQL with near-zero downtime.

Why this answer

Database Migration Service (DMS) supports ongoing replication from Oracle to Cloud SQL for PostgreSQL, minimising downtime. Cloud Scheduler is not relevant. Dataflow can be used for streaming but is not the primary tool for database migration.

Migrate for Compute Engine is for VM migration. Cloud SQL Auth Proxy is for secure connections, not migration.

628
MCQhard

Your company runs a multi-tier web application on Google Kubernetes Engine (GKE). The application consists of a frontend service, a backend API service, and a PostgreSQL database deployed using a StatefulSet with persistent volumes. The backend service exposes a gRPC endpoint. Recently, the team noticed that the backend service experiences intermittent high latency and occasional timeouts. The frontend service is stateless and scales well. The backend service is CPU-bound. The database is not the bottleneck. The cluster has three nodes of type n1-standard-4. The backend service is deployed with 10 replicas, each requesting 1 CPU and 2 Gi memory. Node utilization is around 70% CPU. The team suspects the network is the issue. However, after reviewing the GKE monitoring dashboard, they see that the network bytes sent/received per second for the backend pods is well below the node's network bandwidth limit. The latency spikes seem correlated with periods of high CPU throttling on the backend pods. The backend service's gRPC requests are small (under 1 KB), and the responses are also small. The team has already optimized the application code. What should the team do to reduce latency?

A.Increase the number of nodes in the cluster to reduce network contention.
B.Increase the number of backend replicas to 20.
C.Increase the CPU request for the backend pods to 2 CPUs.
D.Increase the memory request for the backend pods to 4 Gi.
AnswerC

More CPU will reduce throttling and latency.

Why this answer

The correct answer is C because the latency spikes correlate with CPU throttling, and increasing the CPU request to 2 CPUs ensures that each backend pod receives a guaranteed CPU share, reducing throttling under load. Since the backend is CPU-bound and node utilization is 70%, the current 1 CPU request may be insufficient, causing the Kubernetes CPU manager to throttle the pods when the node's CPU is contended. This directly addresses the root cause without adding unnecessary replicas or memory.

Exam trap

The trap here is that candidates may focus on network or scaling solutions (A or B) because the symptom is latency, but the monitoring data explicitly points to CPU throttling, not network saturation, making CPU request adjustment the precise fix.

How to eliminate wrong answers

Option A is wrong because network contention is not the issue—monitoring shows network bytes are well below node bandwidth limits, and the problem is CPU throttling, not network. Option B is wrong because increasing replicas to 20 would increase CPU contention on the existing nodes, worsening throttling and latency, and the frontend already scales well. Option D is wrong because the backend is CPU-bound, not memory-bound; increasing memory does not alleviate CPU throttling and would waste resources.

629
MCQeasy

A company runs batch machine learning training jobs that can be interrupted. They want to reduce compute costs. Which Compute Engine VM pricing model is MOST cost-effective?

A.Preemptible VMs
B.Standard VMs
C.Sustained use discounts
D.Committed use discounts
AnswerA

Preemptible VMs are significantly cheaper and suitable for interruptible batch jobs.

Why this answer

Preemptible VMs offer up to 60-91% discount and can be terminated at any time, ideal for batch workloads that are fault-tolerant. Sustained use discounts are automatic but less aggressive. Committed use discounts require 1 or 3 year commitment.

Standard VMs are full price.

630
MCQmedium

An application uses Cloud Bigtable and experiences high latency for reads. The row key is a timestamp prefix followed by a random ID. Queries often scan a range of timestamps for a specific ID. What design change would MOST improve read performance?

A.Change the row key to start with the random ID followed by timestamp
B.Add more Bigtable nodes
C.Use a separate column family for the ID
D.Enable Bigtable replication
AnswerA

This ensures rows for the same ID are clustered together, making timestamp range scans for a specific ID fast.

Why this answer

For Bigtable, row key design is critical. Scanning a range of timestamps for a specific ID is inefficient if the key starts with timestamp (scans across all IDs). Prepending the ID ensures all data for that ID is contiguous, making range scans efficient.

Adding nodes increases throughput but doesn't fix the key design issue. Using a column family is about grouping columns, not performance.

631
MCQmedium

A company is migrating on-premises workloads to Google Cloud. They have a critical application that requires consistent low-latency access to a database, with read replicas in multiple regions for disaster recovery. The application is expected to grow by 10x over the next year. Which database service and configuration should the architect choose to meet these requirements?

A.Use Cloud Bigtable with multi-region replication
B.Use Cloud SQL for PostgreSQL with cross-region read replicas
C.Use Cloud Spanner with multi-region configuration
D.Use Firestore in native mode with multi-region location
AnswerC

Cloud Spanner offers global strong consistency, automatic replication, and horizontal scalability.

Why this answer

Cloud Spanner with a multi-region configuration is the correct choice because it provides strong global consistency, low-latency reads and writes across regions, and automatic horizontal scaling to handle a 10x growth in workload. Its multi-region replication ensures synchronous replication for disaster recovery while maintaining ACID transactions, which is critical for a database requiring consistent low-latency access.

Exam trap

The trap here is that candidates often confuse Cloud Spanner's multi-region capabilities with simpler replication options like Cloud SQL read replicas or Bigtable's eventual consistency, failing to recognize that only Spanner provides strong global consistency and horizontal scaling for transactional workloads.

How to eliminate wrong answers

Option A is wrong because Cloud Bigtable is a NoSQL wide-column database designed for high-throughput analytical workloads, not for transactional applications requiring strong consistency and low-latency access to a single database; its multi-region replication is asynchronous and does not guarantee strong consistency. Option B is wrong because Cloud SQL for PostgreSQL supports cross-region read replicas, but the primary database is single-region and cannot scale horizontally to handle a 10x growth; read replicas are asynchronous and do not provide strong consistency for writes, making it unsuitable for a critical application requiring consistent low-latency access. Option D is wrong because Firestore in native mode is a NoSQL document database with eventual consistency by default (unless using transactions) and does not support the strong global consistency and horizontal scaling needed for a relational database workload with 10x growth; its multi-region location provides replication but not the ACID transactional guarantees required.

632
MCQeasy

A company wants to automatically apply security patches to Compute Engine instances running Windows Server. They need a solution that can schedule patch installations and report compliance. Which service should they use?

A.OS Config
B.Cloud Monitoring
C.Cloud Deploy
D.Cloud Build
AnswerA

OS Config provides patch management for VMs.

Why this answer

OS Config’s patch management feature allows scheduling and monitoring of OS patches across VM instances.

633
MCQhard

An administrator creates a GKE cluster with the command above. After deployment, the cluster has 3 nodes, but the node pool autoscaler never scales up even under load. What is the most likely reason?

A.The autoscaler minimum nodes is set to 1 and maximum to 5.
B.The disk size of 100 GB is insufficient.
C.The cluster is zonal, but node locations include multiple zones.
D.The machine type e2-medium is too small for the workloads.
AnswerC

In a zonal cluster, nodes can only be in the cluster zone; node-locations is ignored.

Why this answer

Option C is correct because the node pool autoscaler in GKE cannot scale up a cluster that uses multiple zones in a single zonal cluster. The autoscaler requires that all nodes in the pool be in the same zone to properly manage capacity; when node locations span multiple zones in a zonal cluster, the autoscaler is disabled and will not trigger scaling events, even under load.

Exam trap

The trap here is that candidates often assume the autoscaler is misconfigured due to limits or resource constraints, but Cisco tests the subtle distinction that the autoscaler is disabled entirely when node locations span multiple zones in a zonal cluster.

How to eliminate wrong answers

Option A is wrong because setting minimum nodes to 1 and maximum to 5 is a valid autoscaler configuration and does not prevent scaling; it actually enables scaling within that range. Option B is wrong because a 100 GB disk size is sufficient for most workloads and disk size does not affect the autoscaler's ability to scale; the autoscaler responds to resource requests (CPU/memory), not disk capacity. Option D is wrong because the e2-medium machine type, while small, is not inherently too small for workloads; the autoscaler scales based on pending pods and resource requests, not the machine type itself, and a small machine type would actually trigger scaling if workloads exceed its capacity.

634
Multi-Selecthard

A company is designing a DR strategy for their GKE workloads. They need to back up application data and cluster configuration. Which THREE resources should they include in their backup plan? (Choose THREE.)

Select 3 answers
A.etcd snapshot via Velero
B.Kubernetes resource manifests (Deployments, Services, etc.)
C.Service account keys for the cluster
D.PersistentVolume data and PVCs
E.Compute Engine node images
AnswersA, B, D

etcd snapshot captures cluster state including resources.

Why this answer

PersistentVolume data (application data), Kubernetes resource manifests (deployments, services), and etcd snapshots (cluster state) are essential. Node images can be recreated from configuration. Service accounts are IAM entities and not typically backed up as part of cluster backup.

635
Multi-Selectmedium

A company wants to reduce egress costs from Google Cloud when serving static content to users worldwide. They also need to ensure low latency for global users. Which TWO actions should they take? (Choose 2)

Select 2 answers
A.Enable VPC Flow Logs to monitor egress.
B.Use premium tier network for egress traffic.
C.Use a multi-regional Cloud Storage bucket to serve content.
D.Configure Cloud CDN in front of the origin.
E.Allow public access to the bucket and use signed URLs.
AnswersB, D

Premium tier uses Google's global network, which can improve performance and reduce bandwidth costs compared to standard internet.

Why this answer

Cloud CDN caches content at edge locations, reducing egress from the origin and providing low latency. Using a premium tier network improves performance and can reduce egress costs compared to standard tier. Allowing public access to the bucket is not directly related to egress cost reduction.

636
Multi-Selectmedium

A company is migrating to Google Cloud and needs to implement a least-privilege access model. Which THREE Google Cloud services or features support this goal? (Choose three.)

Select 3 answers
A.Cloud IAM Conditions
B.Cloud Audit Logs
C.VPC Service Controls
D.Cloud NAT
E.Organization Policy Service
AnswersA, C, E

Allow access based on attributes like time, IP, or resource type, enabling least privilege.

Why this answer

Options A, C, and D are correct. Cloud IAM Conditions enable fine-grained, attribute-based access control. VPC Service Controls restrict data exfiltration by limiting access to APIs.

Organization Policy allows setting constraints that enforce least privilege at the org level. Option B is wrong because Cloud Audit Logs are detective, not preventive. Option E is wrong because Cloud NAT is a network service for outbound connectivity, not access control.

637
MCQhard

An application uses Cloud SQL (PostgreSQL) and experiences high connection overhead, often exhausting the max connections limit. The team wants to maintain a pool of persistent connections without modifying application code. Which solution should they implement?

A.Use Cloud Memorystore as a connection cache
B.Increase the max connections flag in Cloud SQL
C.Configure Cloud SQL Auth Proxy with max connections
D.Deploy PgBouncer on a Compute Engine instance
AnswerD

PgBouncer is a lightweight connection pooler for PostgreSQL that can be deployed to manage connections transparently.

Why this answer

PgBouncer is a connection pooler for PostgreSQL that manages a pool of connections, reducing overhead and preventing exhaustion. It can be deployed on Compute Engine or using Cloud SQL Auth Proxy with connection pooling.

638
MCQmedium

Your team uses a GKE cluster with Autopilot mode. You want to ensure that your workloads can tolerate a node failure without manual intervention. What should you do?

A.Enable cluster multi-zonal and set pod anti-affinity rules
B.Create a node pool with multiple zones and enable cluster autoscaling
C.Configure a PodDisruptionBudget and deploy multiple replicas of your pods across different nodes
D.Use StatefulSets with persistent volumes that are replicated across zones
AnswerC

Autopilot automatically handles node failures, but you should ensure your application is resilient by having multiple replicas and a PDB.

Why this answer

GKE Autopilot automatically manages nodes and provides workload-level SLAs. By setting the pod's 'disruption budget' and ensuring replicas are distributed across nodes (which Autopilot does by default), the cluster will automatically reschedule pods if a node fails. No manual node management is required.

639
Multi-Selecthard

A company runs a batch analytics job every hour on BigQuery. The job processes terabytes of data and the results are stored in Cloud Storage. The job must complete within 30 minutes. Which TWO actions can reduce query execution time? (Choose 2)

Select 2 answers
A.Use cached results from the previous run
B.Use a partitioned table based on the timestamp column
C.Convert the query to use legacy SQL
D.Export the data to Cloud Storage and query with an external table
E.Increase the number of BigQuery slots assigned to the project
AnswersB, E

Partition pruning limits the amount of data scanned, reducing query time.

Why this answer

Using partitioned tables allows BigQuery to scan only relevant partitions, reducing data scanned and improving speed. Increasing slot capacity provides more compute resources for the query. Partition elimination reduces data scanned; using clustering can also help but is not listed.

Caching results only helps if the query is repeated; the job runs hourly with new data. Using legacy SQL does not improve performance.

640
MCQeasy

A data analytics team runs ad-hoc SQL queries on BigQuery to explore a 10 TB table. Queries are slow and expensive because they frequently scan the entire table. They want to reduce query costs and improve performance without changing the table schema. Which optimization should they apply first?

A.Create a materialized view of common aggregations.
B.Use clustering on the most-filtered column.
C.Partition the table by a date or timestamp column.
D.Switch to on-demand pricing from slot reservations.
AnswerC

Partitioning limits the data scanned per query, reducing cost and improving performance.

Why this answer

Partitioning the table by a time column (e.g., ingestion date) allows queries to filter on that column and scan only relevant partitions, reducing scanned data and cost. Clustering is also beneficial but partitioning is the first step for cost reduction.

641
MCQmedium

Your team has deployed a microservices application on Google Kubernetes Engine (GKE) with multiple services communicating via internal ClusterIP services. You notice that some requests between services are failing intermittently with 'connection refused' errors. The services are defined with readiness probes. What is the most likely cause?

A.The readiness probes are not passing, causing the service endpoints to be removed.
B.The services are not exposed via a VPC peering connection to the client's VPC.
C.The services are using NodePort instead of LoadBalancer type, causing port conflicts.
D.The services are not associated with an Ingress resource.
AnswerA

Failing readiness probes cause the pod to be removed from service endpoints, leading to connection refused.

Why this answer

The 'connection refused' error indicates that the client is attempting to connect to a port on which no process is listening. In GKE, when a readiness probe fails, Kubernetes removes the pod's IP from the corresponding ClusterIP service's endpoints. If all pods for a service fail their readiness probes, the service has no healthy endpoints, and any request to the ClusterIP will be refused because there is no backend to accept the connection.

This matches the intermittent nature of the issue, as pods may temporarily fail the probe and then recover.

Exam trap

Google Cloud often tests the distinction between readiness and liveness probes, where candidates may incorrectly assume that a failing liveness probe (which restarts the pod) is the cause of 'connection refused', but the key is that readiness probes control endpoint membership, directly causing the error when all endpoints are removed.

How to eliminate wrong answers

Option B is wrong because VPC peering is used for connectivity between separate VPC networks, not for internal service-to-service communication within the same GKE cluster; ClusterIP services are inherently reachable within the cluster without any peering. Option C is wrong because NodePort and LoadBalancer are service types for external exposure, not for internal pod-to-pod communication; port conflicts are not a typical cause of 'connection refused' errors within a cluster, and NodePort does not affect internal ClusterIP functionality. Option D is wrong because an Ingress resource is used for external HTTP/S traffic routing to services, not for internal service-to-service communication; the absence of an Ingress has no impact on direct ClusterIP-based communication between microservices.

642
MCQmedium

A startup is developing a real-time analytics dashboard that ingests data from IoT devices. The data volume is unpredictable but can spike to millions of events per second. The dashboard must display near real-time aggregations with sub-second latency. Which Google Cloud architecture should the architect recommend?

A.Ingest via Cloud IoT Core directly to Cloud Bigtable, then query with BigQuery.
B.Ingest via Cloud Pub/Sub, process with Cloud Dataproc, store in Cloud Storage, and query with BigQuery.
C.Ingest via Cloud Pub/Sub, store raw data in Cloud Storage, and use Cloud SQL for aggregations.
D.Ingest via Cloud Pub/Sub, process with Cloud Dataflow, store in Cloud Bigtable, and query from the dashboard.
AnswerD

This combination handles high ingest rates, stream processing, and low-latency queries.

Why this answer

Option D is correct because Cloud Pub/Sub provides scalable, asynchronous ingestion for unpredictable IoT data spikes, Cloud Dataflow enables stream processing for near real-time aggregations with sub-second latency, and Cloud Bigtable offers low-latency, high-throughput storage ideal for serving aggregated results directly to a dashboard. This combination meets the requirements of unpredictable volume, real-time processing, and low-latency queries.

Exam trap

The trap here is that candidates often choose batch-oriented services like BigQuery or Dataproc for real-time requirements, overlooking that Cloud Dataflow's stream processing and Cloud Bigtable's low-latency storage are specifically designed for sub-second, high-throughput dashboard use cases.

How to eliminate wrong answers

Option A is wrong because Cloud IoT Core directly to Cloud Bigtable lacks a buffering layer for unpredictable spikes, and BigQuery is not designed for sub-second query latency on real-time dashboards. Option B is wrong because Cloud Dataproc is batch-oriented and introduces higher latency for stream processing, and Cloud Storage with BigQuery adds significant query latency unsuitable for sub-second dashboard responses. Option C is wrong because Cloud SQL cannot handle millions of events per second for real-time aggregations and lacks native stream processing capabilities.

643
MCQmedium

Your organization runs a production Cloud SQL for PostgreSQL instance. You need to ensure that if the primary zone fails, the database automatically fails over to a standby with no data loss. Which configuration should you use?

A.Enable point-in-time recovery (PITR)
B.Configure a cross-region replica
C.Deploy a regional Cloud SQL instance with high availability
D.Create a read replica and promote it on failure
AnswerC

Regional HA instances automatically fail over to a standby in another zone with synchronous replication, ensuring no data loss.

Why this answer

Cloud SQL HA with regional instances uses synchronous replication to a standby in a different zone, ensuring zero data loss on automatic failover. Cross-region replication is for disaster recovery, not automatic failover. Point-in-time recovery is for restoration to a specific time, not failover.

Read replicas are for read scaling, not automatic failover.

644
MCQmedium

A financial services company is migrating a monolithic Java application to Google Cloud. They want to minimize changes to the application code but take advantage of managed services. They plan to run the application on a VM with a specific OS configuration that is not supported by App Engine. Which migration strategy should they use?

A.Re-architect the application as microservices on GKE
B.Re-platform to App Engine Flexible Environment
C.Re-platform to Cloud Run
D.Lift-and-shift to Compute Engine with Cloud SQL for the database
AnswerD

This minimizes code changes (lift-and-shift) and uses managed Cloud SQL to offload database management.

Why this answer

Lift-and-shift is appropriate when minimal code changes are desired and the application can run on VMs. Re-platform would involve moving to a managed service like Cloud SQL but still typically requires some changes. Re-architect is a full rewrite.

Since they need a custom OS, App Engine is not an option.

645
MCQmedium

Your company runs a stateful application on GKE that stores data in persistent volumes backed by Compute Engine persistent disks. You need to back up the application data and the Kubernetes resource configurations (deployments, services, etc.) for disaster recovery. Which tool should you use?

A.Velero
B.gcloud container clusters create --async
C.Cloud SQL for MySQL
D.Cloud Storage with object versioning and lifecycle policies
AnswerA

Velero backs up Kubernetes resources and persistent volumes to Cloud Storage.

Why this answer

Velero (formerly Heptio Ark) is an open-source tool for backing up and restoring Kubernetes cluster resources and persistent volumes. It supports GCP as a storage destination (Cloud Storage). Cloud Storage versioning can back up files but not Kubernetes resources. gcloud container clusters create does not back up.

Cloud SQL is for relational databases.

646
MCQmedium

A company runs a web application behind a Cloud HTTP(S) Load Balancer. Static content (images, CSS, JS) is served from Cloud Storage. They want to reduce latency for users worldwide. Which action is MOST effective?

A.Enable Cloud CDN on the backend bucket
B.Increase the number of frontend instances
C.Use Cloud Armor to block high-latency requests
D.Use a multi-regional Cloud Storage bucket
AnswerA

Cloud CDN caches static content at edge locations worldwide, significantly reducing latency for users regardless of their location.

Why this answer

Cloud CDN caches content at global edge locations, reducing latency for users. Enabling Cloud CDN on the backend bucket serves static content from the edge. Using a multi-region bucket provides regional redundancy but does not reduce latency as effectively as CDN.

Increasing machine size does not help with static content serving.

647
Multi-Selecthard

A company has a Cloud SQL for PostgreSQL instance that is experiencing high latency. They suspect a connection pooling issue. Which TWO configurations should be checked? (Choose two.)

Select 2 answers
A.Cloud SQL Auth Proxy configuration
B.max_connections database flag
C.Private IP assignment
D.Database query insights
E.Database version
AnswersA, B

Correct. The proxy handles connection pooling efficiently.

Why this answer

The Cloud SQL proxy provides secure connections and connection pooling to reduce latency. The max_connections parameter affects how many connections are allowed and can be a bottleneck. Query insights helps but is not a configuration.

Private IP vs public IP affects network path but not connection pooling per se.

648
Multi-Selectmedium

A company wants to implement a disaster recovery (DR) strategy for their Cloud SQL for MySQL databases. They need to be able to recover to a specific point in time (within seconds) in case of accidental data deletion. Which TWO actions should they take? (Choose TWO.)

Select 2 answers
A.Enable binary logging (binlog)
B.Configure a failover replica in another zone
C.Create a cross-region read replica
D.Enable automated backups
E.Export the database daily to Cloud Storage
AnswersA, D

Binary logging captures changes and enables point-in-time recovery.

Why this answer

Point-in-time recovery (PITR) in Cloud SQL uses transaction logs to restore to any point in time within the backup retention period. Automated backups are required to enable PITR. Cross-region replication is for regional DR but not point-in-time.

649
MCQhard

Your company uses Cloud Spanner in a multi-region configuration to achieve 99.999% availability. You need to understand the impact of a regional failure on read and write availability. Which statement is correct?

A.Both reads and writes are fully available as long as at least one region remains healthy
B.Reads and writes remain fully available because Cloud Spanner uses synchronous replication across all regions
C.Writes are unavailable if the region containing the leader replica fails, but reads remain available
D.Writes are always available, but reads may be unavailable if the region with the closest replica fails
AnswerC

Leader region failure can cause write unavailability until a new leader is elected; reads can still be served.

Why this answer

Cloud Spanner multi-region configurations use a voting protocol. For read-write operations, a majority of replicas must be available. If one region fails, writes may be impacted if the remaining regions do not have a majority.

However, reads can still be served from healthy replicas in other regions (though they may be stale).

650
MCQhard

A company uses a Shared VPC hosted in a common project (host project) to centralize network management. A service project team needs to create a Compute Engine instance with a specific static internal IP address from the Shared VPC subnet. What IAM permissions should be granted to the service project's Compute Engine default service account?

A.compute.networkAdmin on the host project.
B.compute.subnetworks.use on the host project subnet.
C.compute.instances.create on the service project.
D.compute.subnetworks.use and compute.addresses.use on the subnet and static IP.
AnswerD

These permissions allow using the subnet and reserving the specific IP.

Why this answer

Option B is correct: To use a specific static internal IP from a Shared VPC, the service account needs compute.subnetworks.use and compute.addresses.use on the subnet or address resource. Option A is missing compute.addresses.use. Option C grants compute.instances.create but not the necessary subnet/address permissions.

Option D is too broad and unnecessary.

651
Multi-Selecthard

A finance company needs to ensure that all compute instances in their VPC can only communicate with Google APIs (e.g., Cloud Storage) over internal IPs. Additionally, instances without external IPs should be able to access the internet for updates. Which TWO configurations should they implement?

Select 2 answers
A.Configure Cloud NAT
B.Create a firewall rule allowing egress to 0.0.0.0/0
C.Enable Private Google Access on the subnet
D.Assign external IPs to all instances
E.Use VPC peering with Google's public network
AnswersA, C

Cloud NAT provides outbound internet access to instances without external IPs.

Why this answer

Private Google Access allows VMs to use internal IPs to access Google APIs. Cloud NAT enables outbound internet access for instances without external IPs.

652
MCQhard

A company requires a globally distributed relational database with strong consistency across regions and automatic replication. They need to support SQL queries and have a write throughput of 100,000 writes per second. Which Google Cloud database meets these requirements?

A.Cloud Spanner
B.Cloud Bigtable
C.BigQuery
D.Cloud SQL with cross-region replication
AnswerA

Cloud Spanner is designed for global distribution, strong consistency, high write throughput, and SQL.

Why this answer

Cloud Spanner is a globally distributed, strongly consistent relational database that supports SQL and can scale to millions of writes per second. Cloud SQL is regional, Bigtable is NoSQL and not relational, BigQuery is an analytics warehouse.

653
MCQmedium

A team wants to deploy a microservice on Cloud Run that needs to access a Cloud Memorystore for Redis instance in the same region. The Redis instance is in a VPC network. Which configuration is required for Cloud Run to reach the Redis instance?

A.Configure a Cloud NAT gateway
B.Create a Serverless VPC Access connector and configure Cloud Run to use it
C.Use Private Google Access
D.Deploy Cloud Run within a VPC
AnswerB

The connector enables Cloud Run to send traffic to the VPC.

Why this answer

Cloud Run services can connect to a VPC using a Serverless VPC Access connector, which provides private network access.

654
MCQmedium

Your organization has a policy that all Compute Engine instances must have specific labels (env, team, cost-center) applied. You want to enforce this automatically when instances are created. What should you do?

A.Enable Cloud Audit Logs and set up a metric-based alert to detect instances without labels.
B.Create a Cloud Function that listens for instance creation events and adds labels automatically.
C.Assign a custom IAM role that includes permission to label instances, and remove the default compute.instances.create permission.
D.Use the Organization Policy service with a custom constraint to require labels on Compute Engine instances.
AnswerD

Organization policies can enforce label requirements at creation time.

Why this answer

Option D is correct because Organization Policy Service with a custom constraint allows you to enforce that all Compute Engine instances must have specific labels (env, team, cost-center) at creation time. This is a preventive control that blocks creation of non-compliant instances, unlike reactive or permission-based approaches. Custom constraints use the `compute.googleapis.com/instance` resource type and can require label keys or values using CEL (Common Expression Language) syntax.

Exam trap

The trap here is that candidates often choose reactive solutions (like Cloud Functions or alerts) because they seem simpler, but the exam emphasizes preventive enforcement using Organization Policy constraints for compliance-driven requirements.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs and metric-based alerts are reactive — they only detect non-compliant instances after creation, not prevent them, and do not enforce the policy automatically. Option B is wrong because a Cloud Function that listens for instance creation events and adds labels is also reactive; it can fail or be bypassed, and the instance is created without labels initially, violating the policy. Option C is wrong because removing the default `compute.instances.create` permission would prevent all instance creation, not just unlabeled ones, and a custom IAM role cannot enforce label requirements at creation time — it only controls who can create instances, not what labels they must include.

655
Multi-Selecthard

Which THREE components are required to set up a private connection between an on-premises network and a VPC using Cloud VPN? (Choose three.)

Select 3 answers
A.Peer VPN gateway (on-premises).
B.Two VPN tunnels (for redundancy).
C.Cloud VPN gateway.
D.VPC Network Peering.
E.Cloud Router.
AnswersA, B, C

Required to terminate VPN on-premises.

Why this answer

Option A is correct because a Peer VPN gateway represents the on-premises VPN device that terminates the IPsec tunnel from the Cloud VPN gateway. This is a required component to establish the encrypted tunnel between your on-premises network and the VPC, as it defines the public IP address and configuration of the remote endpoint.

Exam trap

Google Cloud often tests the misconception that Cloud Router is always required for Cloud VPN, but it is only needed for dynamic BGP routing; for static routes, Cloud Router is not a mandatory component.

656
MCQmedium

Refer to the exhibit. This is an IAM policy for a BigQuery dataset. What does the policy allow?

A.Alice to view data and analysts to run jobs.
B.Alice and analysts to run jobs.
C.Alice to run jobs and analysts to view data.
D.Alice and analysts to view data.
AnswerA

dataViewer allows viewing, jobUser allows running jobs.

Why this answer

The policy grants the `roles/bigquery.dataViewer` role to Alice, which allows her to view dataset metadata and query data, and the `roles/bigquery.jobUser` role to analysts, which allows them to run jobs (queries, load, export) but not view data directly. This combination matches option A.

Exam trap

Google Cloud often tests the distinction between data viewing and job execution permissions in BigQuery, trapping candidates who assume that running a job automatically includes the ability to see the data.

How to eliminate wrong answers

Option B is wrong because Alice is assigned `roles/bigquery.dataViewer`, not `roles/bigquery.jobUser`, so she cannot run jobs; only analysts have the jobUser role. Option C is wrong because it reverses the permissions: Alice can view data (not run jobs) and analysts can run jobs (not view data). Option D is wrong because analysts are granted `roles/bigquery.jobUser`, which does not include data viewing permissions; only Alice has data viewing access.

657
MCQmedium

A developer ran the command `gcloud compute instances describe instance-1 --zone us-central1-a` and received the above output. They want to create another instance with the same configuration, except with a different external IP. Which action should they take?

A.Reserve a new static external IP address and assign it to the new instance.
B.Create a new instance without specifying a static IP, so it receives an ephemeral IP.
C.Use the same static IP address by releasing and reassigning it.
D.None of the above.
AnswerB

Ephemeral IPs are different from the static IP shown.

Why this answer

The `gcloud compute instances describe` output shows the instance has an external IP that is ephemeral (not reserved). To create a new instance with the same configuration but a different external IP, the simplest approach is to create a new instance without specifying a static IP, which will automatically assign a new ephemeral IP. This avoids the overhead of reserving and managing a static IP when only a temporary, different address is needed.

Exam trap

Google Cloud often tests the distinction between ephemeral and static IPs, and the trap here is that candidates assume any external IP must be static, leading them to unnecessarily reserve a new static IP instead of simply creating an instance without specifying one.

How to eliminate wrong answers

Option A is wrong because reserving a new static external IP and assigning it would give the instance a permanent, unchanging IP, which is unnecessary and incurs additional cost if the IP is not used; the goal is simply a different IP, not a static one. Option C is wrong because releasing and reassigning the same static IP would result in the same IP address, not a different one, and the describe output shows the current IP is ephemeral, not static. Option D is wrong because option B provides a valid and correct action.

658
MCQeasy

A developer wants to automate the creation of a Google Cloud project with a specific VPC and firewall rules. Which tool should they use?

A.Cloud Shell
B.Cloud Console
C.Deployment Manager
D.Cloud SDK
AnswerC

Deployment Manager is Google Cloud's infrastructure as code service.

Why this answer

Deployment Manager is the correct tool because it allows you to define and manage Google Cloud resources, including projects, VPCs, and firewall rules, using declarative templates (YAML, Python, or Jinja2). This enables infrastructure-as-code (IaC) automation, which is essential for repeatable and version-controlled project creation. Unlike interactive tools, Deployment Manager handles the entire lifecycle of resources, including dependencies and updates, without manual intervention.

Exam trap

Google Cloud often tests the distinction between interactive tools (Cloud Shell, Cloud Console) and automation tools (Deployment Manager, Cloud SDK), but the trap here is that candidates confuse Cloud SDK (a set of command-line tools) with an automation framework, whereas Deployment Manager is the only option that provides declarative, template-based automation for complex multi-resource deployments.

How to eliminate wrong answers

Option A is wrong because Cloud Shell is an interactive command-line environment that provides temporary access to Cloud SDK tools, but it does not itself automate resource creation; it is merely a terminal for running commands manually. Option B is wrong because Cloud Console is a web-based GUI for manually managing resources, which is not suitable for automation and cannot be used in scripts or CI/CD pipelines. Option D is wrong because Cloud SDK is a set of command-line tools (like gcloud) that can be used to create resources individually, but it requires imperative scripting and does not provide declarative, repeatable infrastructure-as-code templates like Deployment Manager does.

659
MCQeasy

You need to automatically roll back a GKE deployment if a new version causes a spike in 5xx errors. The deployment uses a canary strategy with Istio traffic splitting. What should you do?

A.Use Cloud Monitoring to watch the canary's error rate and trigger a Cloud Function that updates the Istio VirtualService to route all traffic back to the stable version.
B.Set the canary's traffic weight to 0 in the Istio VirtualService if errors exceed threshold using a Kubernetes Job.
C.Use GKE's built-in auto-repair feature to replace unhealthy pods.
D.Configure an Istio VirtualService with a retry policy that automatically redirects traffic on errors.
AnswerA

This automates rollback by shifting traffic back to the stable version based on error rate threshold.

Why this answer

Istio allows traffic splitting between versions. By integrating with Cloud Monitoring, you can create an alert that triggers a rollback via a Cloud Function or through a CI/CD pipeline that monitors the canary's error rate. Istio itself does not have built-in rollback; you need external automation.

Cloud Deploy can manage canary with automatic rollback, but the question mentions Istio traffic splitting, so a combination of monitoring and automation is needed.

660
Drag & Dropmedium

Drag and drop the steps to set up a shared VPC in Google Cloud for a multi-project environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The host project holds the VPC network. Service projects use the subnets. IAM roles control who can use the subnets.

661
MCQmedium

Refer to the exhibit. An application running on a GCE instance (ID: 1234567890) is unable to connect to a database at 10.0.0.1:5432. The logs show repeated 'Connection refused' errors. What is the most likely cause?

A.The firewall rule allowing traffic on port 5432 is missing or misconfigured.
B.The instance is using an outdated SSL certificate.
C.The database service is not running or is not listening on port 5432.
D.The VPC network has no route to the database subnet.
AnswerC

'Connection refused' indicates that the destination host is reachable but no service is listening on that port.

662
MCQhard

A large e-commerce company runs a multi-tier application on Google Cloud. The frontend is served by a global HTTP Load Balancer with a backend service pointing to a managed instance group (MIG) of nginx web servers. The application tier consists of a regional internal TCP/UDP load balancer distributing traffic to a MIG of Java application servers. The database tier uses Cloud SQL for PostgreSQL in a failover replica configuration. The architecture is deployed in the us-central1 region across three zones. Recently, the operations team noticed intermittent 502 Bad Gateway errors from the frontend load balancer during peak traffic hours. The errors last for a few minutes and then recover. The team suspects the application tier is overwhelmed. They need to implement a solution that can handle traffic spikes without manual intervention. Which course of action should they take?

A.Increase the maximum number of instances in the application tier MIG from 10 to 20.
B.Enable Cloud Armor on the frontend load balancer with a rate-limiting rule to block excessive traffic.
C.Configure HTTP health checks on the regional internal load balancer and set the autoscaler to use the 'HTTP load balancing utilization' metric for the application tier MIG.
D.Enable Cloud CDN on the frontend load balancer to cache static assets and reduce load on the application tier.
AnswerC

Health checks ensure the load balancer only sends traffic to healthy instances, and autoscaling based on load balancing utilization will automatically adjust capacity.

Why this answer

Option C is correct because the intermittent 502 errors during peak traffic indicate that the application tier MIG is being overwhelmed. By configuring HTTP health checks on the regional internal load balancer and setting the autoscaler to use the 'HTTP load balancing utilization' metric, the autoscaler can scale the application tier MIG based on the actual load distribution from the internal load balancer, ensuring it handles traffic spikes without manual intervention. This directly addresses the root cause—insufficient application instances—by enabling dynamic scaling based on real-time utilization.

Exam trap

The trap here is that candidates often confuse frontend load balancer errors with frontend capacity issues and choose CDN or rate-limiting, but the 502 Bad Gateway error specifically indicates the backend (application tier) is failing to respond, so the solution must scale the application tier itself.

How to eliminate wrong answers

Option A is wrong because simply increasing the maximum number of instances from 10 to 20 does not enable autoscaling; the MIG would still need a scaling policy to trigger new instances during spikes, and without a metric-based autoscaler, the instances would not be created automatically. Option B is wrong because enabling Cloud Armor with rate-limiting would block excessive traffic at the frontend, but the 502 errors originate from the backend (application tier) being overwhelmed, not from the frontend; rate-limiting would reject legitimate traffic and degrade user experience without solving the capacity issue. Option D is wrong because enabling Cloud CDN caches static assets at the edge, which reduces load on the frontend web servers but does not address the application tier's inability to handle dynamic request spikes; the 502 errors are likely from the application tier timing out, not from static asset serving.

663
MCQeasy

A company is migrating to Google Cloud and needs to connect their on-premises network to a VPC. They require high bandwidth and a reliable connection with a Service Level Agreement (SLA). Which solution should they choose?

A.Cloud VPN with dynamic routing
B.Dedicated Interconnect
C.Partner Interconnect via a service provider
D.Direct Peering
AnswerB

Dedicated Interconnect offers high bandwidth and an SLA.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between your on-premises network and Google's network, offering high bandwidth (10 or 100 Gbps per link) and a 99.99% uptime SLA when configured with redundant links. This meets the requirements for high bandwidth and a reliable, SLA-backed connection better than any other option.

Exam trap

The trap here is that candidates often confuse Partner Interconnect with Dedicated Interconnect, assuming any 'Interconnect' offers an SLA, but only Dedicated Interconnect provides a direct physical link with a 99.99% SLA, while Partner Interconnect's SLA depends on the partner's network and is typically lower.

How to eliminate wrong answers

Option A is wrong because Cloud VPN uses the public internet with IPsec tunnels, offering no SLA and limited bandwidth (typically up to 3 Gbps per tunnel), making it unsuitable for high-bandwidth, SLA-backed requirements. Option C is wrong because Partner Interconnect relies on a third-party service provider's network, which may introduce additional latency and does not provide the same direct, dedicated SLA as Dedicated Interconnect; it is designed for cases where a direct physical connection is not feasible. Option D is wrong because Direct Peering is a non-SLA, best-effort connection established via public exchange points, intended for traffic exchange with Google services, not for dedicated, SLA-backed connectivity to a VPC.

664
Multi-Selectmedium

You need to collect and analyze logs from multiple projects in a centralized BigQuery dataset for auditing. Which THREE steps are required? (Choose 3)

Select 3 answers
A.Enable VPC Flow Logs in all projects
B.Use an aggregated sink at the organization or folder level to collect logs from all projects
C.Grant the 'bigquery.dataEditor' role to the Cloud Logging service account
D.Create a log exclusion filter to remove sensitive data
E.Create a log sink in each project that exports to a shared BigQuery dataset
AnswersB, C, E

Simplifies management.

Why this answer

Create a log sink to BigQuery, set up aggregated sink across projects, and grant necessary IAM roles.

665
Matchingmedium

Match each GCP storage service to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Object storage for unstructured data

Managed NFS file server

Block storage for VM instances

NoSQL database for large analytical workloads

Globally distributed relational database

Why these pairings

These are primary storage options in GCP.

666
MCQmedium

A company wants to use Customer-Managed Encryption Keys (CMEK) for data at rest in Cloud Storage, but also needs to ensure that the keys are stored in a hardware security module (HSM) to meet compliance requirements. Which Cloud KMS key type should they choose?

A.Predefined key
B.External key (Cloud External Key Manager)
C.Software-backed key
D.Cloud HSM key
AnswerD

Cloud HSM keys are stored in FIPS 140-2 Level 3 certified HSMs.

Why this answer

Cloud HSM provides HSM-backed keys that are FIPS 140-2 Level 3 certified. Using Cloud HSM for the CMEK ensures the key material is stored in a hardware security module.

667
MCQmedium

A company needs to store petabytes of time-series IoT sensor data and query it with single-digit millisecond latency at millions of reads per second. The data has a simple key-value structure with timestamps. Which Google Cloud database is MOST appropriate?

A.Cloud Bigtable
B.Cloud Spanner
C.BigQuery
D.Firestore
AnswerA

Bigtable is the correct choice: wide-column NoSQL, designed for time-series and IoT workloads, single-digit ms latency, and scales to millions of QPS with additional nodes.

Why this answer

Cloud Bigtable is designed for exactly this use case — petabyte-scale, low-latency (single-digit ms), high-throughput NoSQL storage for time-series, IoT, and financial data. It scales horizontally by adding nodes. BigQuery is optimised for analytics (seconds-to-minutes latency), Cloud SQL is for OLTP (limited to tens of thousands of QPS), and Firestore is for document data with hierarchical structure.

668
MCQhard

An organization runs a Cloud Run service that processes incoming HTTP requests. Under heavy load, some requests timeout. The team wants to reduce cold starts and ensure consistent performance. They set min instances to 1, but the issue persists. Which additional configuration should they change?

A.Reduce concurrency
B.Set CPU always allocated to true
C.Increase max instances
D.Increase request timeout
AnswerB

This ensures the instance always has CPU, reducing latency for requests that hit an idle instance.

Why this answer

Increasing CPU allocation ensures that even idle instances have CPU, reducing latency for incoming requests.

669
Multi-Selecteasy

Which TWO methods can be used to restrict inbound traffic to a Compute Engine instance to only specific IP addresses without relying on instance-level firewall rules? (Choose 2)

Select 2 answers
A.Use VPC Service Controls
B.Configure Cloud Armor policies
C.Create firewall rules in the VPC network
D.Assign a service account to the instance
E.Use Identity-Aware Proxy (IAP) for TCP forwarding
AnswersC, E

Firewall rules can restrict inbound traffic based on source IP ranges.

Why this answer

Option C is correct because VPC firewall rules operate at the network level, not the instance level, and can be configured to allow inbound traffic only from specific source IP ranges (e.g., using the 'sourceRanges' field). These rules are applied to all instances in the VPC or subnet, independent of any instance-level configuration, making them a valid method to restrict traffic without relying on instance-level firewall rules.

Exam trap

Google Cloud often tests the distinction between network-level controls (VPC firewall rules) and instance-level controls (like guest OS firewalls), and candidates may incorrectly think that service accounts or VPC Service Controls can filter inbound IP traffic.

670
Multi-Selectmedium

A company needs to ensure that only approved machine images can be used to create Compute Engine instances to meet security compliance. Which two methods should they use? (Choose two.)

Select 2 answers
A.Use VPC Service Controls to prevent creation from unauthorized images
B.Use a custom role with permissions restricted to specific image families
C.Use Cloud Asset Inventory to detect non-compliant images and trigger remediation
D.Use IAM conditions on compute.instances.create to require a specific family label
E.Use Organization Policy constraint compute.trustedImageProjects
AnswersB, E

Custom roles can limit which images a user can use by granting permissions on specific image projects.

Why this answer

The organization policy constraint compute.trustedImageProjects restricts allowed image projects. Creating a custom role with permissions limited to specific image projects also works. IAM conditions on instance creation are not effective; VPC Service Controls don't apply to images; detection alone is not prevention.

671
MCQhard

A company is migrating an on-premises application to Google Cloud. The application requires access to a legacy database that can only be reached from a specific on-premises IP address. The company has established a Cloud VPN tunnel. What is the MOST secure way to ensure that only the migrated application's Compute Engine instances can initiate connections to the on-premises database?

A.Create a Cloud NAT and assign the application instances a static IP, then allow that IP in the on-premises firewall
B.Create a firewall egress rule with destination IP range of the on-premises database and source service account of the application instances
C.Create a firewall egress rule with destination IP range of the on-premises database and source tags 'db-access'
D.Use VPC Service Controls to create a perimeter around the application VPC
AnswerB

Using service accounts ensures only instances with that specific identity can access the database.

Why this answer

Using firewall rules with target service accounts allows you to control egress traffic based on the identity of the source instances, which is more secure than using tags or IP ranges.

672
MCQeasy

A company wants to test the performance of a new web application under high load. They need a tool that can generate traffic from multiple regions. Which Google Cloud service should they use?

A.Cloud Load Testing
B.Cloud Run
C.Cloud Shell
D.Locust
AnswerA

Cloud Load Testing is the GCP managed service for generating load from multiple regions.

Why this answer

Cloud Load Testing (formerly Cloud Load Balancing) is a managed service that can generate load from multiple regions. Locust is an open-source tool that can be deployed on Compute Engine but is not a managed GCP service. Cloud Shell is a development environment.

Cloud Run is for running containers.

673
MCQmedium

The exhibit shows a Cloud Storage bucket IAM policy. A developer (admin@example.com) wants to upload a file to the bucket but gets a permission denied error. What is the most likely reason?

A.An organization policy denies all write operations
B.The developer is not a member of the project
C.The service account my-sa overrides the developer's permissions
D.The developer is assigned only the objectViewer role
AnswerD

objectViewer cannot write.

Why this answer

Option C is correct because the developer only has roles/storage.objectViewer (read-only), not write access. Option A is wrong because there is no explicit deny. Option B is wrong because the service account has admin, but that doesn't affect the user.

Option D is wrong because the user is included.

674
Multi-Selectmedium

A company is designing a disaster recovery plan for a critical application running on Compute Engine with a regional persistent disk. They want to minimize recovery time objective (RTO) and recovery point objective (RPO). Which TWO strategies should they implement? (Choose two.)

Select 2 answers
A.Use snapshot replication to a secondary region.
B.Take manual snapshots after a failure occurs.
C.Create an instance template in the same region.
D.Store backups in Cloud Storage with a lifecycle policy.
E.Create a custom image of the boot disk and copy it to another region.
AnswersA, E

Snapshots can be replicated to another region for quick restore.

Why this answer

Option A is correct because snapshot replication to a secondary region allows you to create and store disk snapshots in a different region, enabling rapid recovery of the application in that secondary region. This minimizes RTO by having the snapshots readily available for creating new disks and instances, and minimizes RPO by scheduling frequent, automated snapshots that capture incremental changes, ensuring data loss is limited to the snapshot interval.

Exam trap

Google Cloud often tests the distinction between regional persistent disks (which are synchronous within a region) and cross-region disaster recovery strategies, leading candidates to mistakenly think that a regional persistent disk alone provides cross-region redundancy, when in fact you must explicitly replicate snapshots or images to another region.

675
MCQmedium

The exhibit shows a Cloud Storage bucket configuration. What does this configuration ensure?

A.Older versions of objects are automatically transferred to a different storage class.
B.Data is replicated to another region for disaster recovery.
C.Objects can only be permanently deleted after the retention period expires.
D.Objects older than 30 days will be automatically deleted.
AnswerC

A locked retention policy prevents permanent deletion before the retention period ends. Versioning retains noncurrent versions.

Why this answer

The exhibit shows a bucket configured with a retention policy. When a retention policy is set on a Cloud Storage bucket, objects cannot be deleted or overwritten until the retention period expires. This ensures that objects can only be permanently deleted after the retention period ends, which is exactly what option C describes.

Exam trap

The trap here is that candidates confuse retention policies with lifecycle management rules, mistakenly thinking retention policies automatically delete or transition objects, when in fact they only prevent deletion until the retention period expires.

How to eliminate wrong answers

Option A is wrong because retention policies do not automatically transfer objects to a different storage class; that is the function of lifecycle management rules, not retention policies. Option B is wrong because retention policies do not replicate data to another region; replication is configured separately using object replication or dual-region buckets. Option D is wrong because retention policies do not automatically delete objects after a period; they prevent deletion until the retention period expires, and automatic deletion is achieved via lifecycle rules with a Delete action.

Page 8

Page 9 of 14

Page 10
Google Professional Cloud Architect PCA Questions 601–675 | Page 9/14 | Courseiva