CCNA Design and plan a cloud solution architecture Questions

55 questions · Design and plan a cloud solution architecture · All types, answers revealed

1
MCQhard

Refer to the exhibit. All five nginx pods are scheduled on the same node (default-pool-1). What is the most likely reason?

A.The node auto-scaler has not created additional nodes yet, but the other nodes are present.
B.The pods have a nodeSelector that matches only default-pool-1.
C.The other nodes have taints that the pods do not tolerate.
D.The resource requests are too high, so the scheduler packed pods onto one node due to resource constraints on the others.
AnswerC

Correct: If nodes have taints, pods without matching tolerations will not be scheduled on them, causing all pods to land on the node without taints.

Why this answer

The cluster was created with 3 nodes and node auto-scaling enabled. However, the pods are all on the same node. This could be due to resource requests not being high enough to spread across nodes, or taints/tolerations.

But the most common cause is that the node auto-scaler hasn't scaled up yet, and the scheduler packed the pods onto one node because the total resource requests fit. However, the output shows 3 nodes, so there is capacity. Another possibility is that the other nodes have taints that the pods don't tolerate.

Since no taints are shown, the likely reason is that the pod resource requests are low and the scheduler packed them. But the question asks for 'most likely'. Given that the cluster has 3 nodes and all pods are on one, it suggests that the other nodes might be tainted.

Alternatively, the scheduler might be configured with a 'MostRequestedPriority' policy. However, the default scheduler spreads pods. The most common issue is that the other nodes have taints that prevent scheduling.

Without taints, the scheduler should spread. The exhibit doesn't show taints, but the question implies a problem. Another possibility: the pods have a nodeSelector or affinity that restricts them to a specific node.

But none is shown. The correct answer is that the node pool default-pool-1 may have a different machine type or configuration, but they are all the same. Actually, the cluster was created with --num-nodes=3, but the node list shows three nodes: default-pool-1, default-pool-2, default-pool-3.

So the pods are all on default-pool-1. This could be because the other nodes have taints that the pods don't tolerate. Since not specified, the most likely reason is that the other nodes have a taint like 'node.kubernetes.io/unschedulable' or a custom taint.

But the exhibit shows them Ready. Possibly the pods have a nodeSelector for a label that only default-pool-1 has. However, the correct answer based on common exam scenarios is that the node auto-scaler hasn't scaled up the other nodes, but they are already present.

Another typical reason: the pods have resource requests that are too low, but that would still spread. I think the intended answer is that the other nodes have taints, but we don't see that. Alternatively, the pod's resource requests are so low that the scheduler packed them.

Given the choices, the correct one is likely about taints or node affinity not being set. Let me design the options accordingly.

2
Multi-Selecthard

A company has set up an external HTTP(S) load balancer with a backend service pointing to a managed instance group. Some instances are failing health checks. Which TWO actions should the company take to troubleshoot the issue?

Select 2 answers
A.Ensure the health check path specified in the backend service returns a 200 OK status.
B.Verify that the firewall rules allow traffic from the load balancer health check IP ranges.
C.Disable session affinity to allow better distribution of traffic.
D.Change the health check interval from 5 seconds to 30 seconds.
E.Increase the number of instances in the instance group to distribute the load.
AnswersA, B

If the health check path does not respond correctly, the instance will be considered unhealthy.

Why this answer

Option A is correct because the HTTP(S) load balancer's health check probes the specified path on each backend instance. If the path does not return a 200 OK status, the load balancer marks the instance as unhealthy and stops sending traffic to it. Ensuring the health check path returns a 200 OK is the first step in verifying that the health check is configured correctly.

Exam trap

The trap here is that candidates often focus on load distribution or scaling solutions (options C and E) rather than the fundamental connectivity and application-level checks (options A and B) that directly determine health check success.

3
MCQmedium

A company runs a multi-tier web application on Google Kubernetes Engine (GKE) with a frontend service, a backend service, and a Cloud SQL for PostgreSQL database. During peak hours, the frontend pod CPU usage is high (consistently above 80%), while the backend service shows moderate CPU usage (around 50%). Response times for user requests increase significantly, often exceeding the 200ms p99 latency target. Cloud SQL metrics show low query latency and no contention. The team wants to improve performance in a cost-effective manner. Which initial step should they take?

A.Add a read replica for Cloud SQL to offload read queries.
B.Migrate the backend service to a custom machine type with more vCPUs.
C.Enable vertical pod autoscaling for the backend service.
D.Increase the number of frontend pods by adjusting the horizontal pod autoscaler's target CPU utilization.
AnswerD

Frontend CPU is high, so scaling out frontend pods will help handle the load and reduce latency. This is cost-effective as it adds only needed capacity.

Why this answer

The frontend pods are CPU-bound during peak hours, causing increased response times. Increasing the number of frontend pods via the Horizontal Pod Autoscaler (HPA) by lowering the target CPU utilization threshold distributes the load across more replicas, directly addressing the bottleneck without additional infrastructure cost. This is the most cost-effective initial step because it leverages existing resources and autoscaling capabilities.

Exam trap

Google Cloud often tests the misconception that backend or database changes are needed when the bottleneck is clearly at the frontend tier, leading candidates to choose expensive or irrelevant scaling options like read replicas or vertical scaling.

How to eliminate wrong answers

Option A is wrong because Cloud SQL metrics show low query latency and no contention, so a read replica would not resolve the frontend CPU bottleneck and would add unnecessary cost. Option B is wrong because the backend service shows only moderate CPU usage (50%), so migrating to a custom machine type with more vCPUs would be over-provisioning and not cost-effective; the bottleneck is the frontend, not the backend. Option C is wrong because vertical pod autoscaling (VPA) adjusts CPU/memory requests for existing pods, but the frontend pods are already CPU-saturated; scaling up vertically would require pod restarts and may hit node limits, whereas horizontal scaling is more appropriate for stateless web tiers.

4
Multi-Selectmedium

Which THREE are best practices for designing a highly available Cloud SQL for MySQL instance? (Choose 3)

Select 3 answers
A.Configure cross-region replication
B.Enable automatic backups
C.Use a regional persistent disk
D.Enable high availability with a standby in a different zone
E.Set a maintenance window in off-peak hours
AnswersB, C, D

Backups are essential for data restoration.

Why this answer

Option B is correct because automatic backups in Cloud SQL for MySQL provide point-in-time recovery (PITR) capabilities, which are essential for data durability and disaster recovery. Enabling automatic backups ensures that transaction logs are retained, allowing you to restore your database to any point within the backup retention period, typically up to 7 days.

Exam trap

The trap here is that candidates often confuse cross-region replication with high availability, but Cloud SQL's HA is zone-based within a single region, not cross-region, and maintenance windows are operational best practices, not HA design features.

5
MCQhard

A global e-commerce platform is experiencing intermittent latency spikes during flash sales. The application is deployed on Google Kubernetes Engine (GKE) with a regional cluster. The architecture includes a frontend service, a product catalog service using Cloud Spanner, and an order processing service using Cloud Pub/Sub. During high load, the catalog service shows increased query latency, and some requests time out. What should the architect prioritize to address the issue?

A.Use Cloud CDN to cache product catalog responses.
B.Increase the number of nodes in the GKE node pool.
C.Enable Cloud Spanner interleaved tables and add secondary indexes for common query filters.
D.Migrate the catalog service from Cloud Spanner to Cloud Bigtable for better read performance.
AnswerC

Secondary indexes and interleaved tables optimize query access patterns, reducing latency.

Why this answer

The correct answer is C because the issue is specifically with Cloud Spanner query latency under high load. Enabling interleaved tables and adding secondary indexes optimizes data locality and query performance, reducing the need for expensive cross-table joins and full table scans. This directly addresses the root cause of increased latency and timeouts in the catalog service.

Exam trap

The trap here is that candidates often confuse horizontal scaling (adding nodes) with database optimization, overlooking that Cloud Spanner performance issues require schema-level tuning rather than infrastructure scaling.

How to eliminate wrong answers

Option A is wrong because Cloud CDN caches static content at edge locations, but the product catalog service uses Cloud Spanner for dynamic, frequently updated data; caching would serve stale data and not resolve database query latency. Option B is wrong because increasing GKE nodes adds compute capacity but does not fix the underlying database query performance issue; the bottleneck is in Cloud Spanner, not in pod scheduling or node resources. Option D is wrong because Cloud Bigtable is optimized for high-throughput, low-latency key-value lookups, not for complex queries with secondary filters or joins; migrating would require significant architectural changes and may not support the catalog service's query patterns.

6
MCQhard

Refer to the exhibit. A user creates a snapshot of a persistent disk. Later, they want to create a new VM from this snapshot in the same project but in a different region (europe-west1). Which step is missing or incorrect?

A.The snapshot cannot be used to create a VM in a different region; the user must first create a disk in the same region and then replicate it.
B.The snapshot must be created with '--storage-location=europe-west1' to be usable in that region.
C.The user must wait for the snapshot operation to complete before using it to create a VM.
D.The user must specify the '--region' flag when creating the snapshot to make it available in europe-west1.
AnswerC

Correct: The '--async' flag returns immediately without waiting for the operation to complete. The snapshot must be in a 'READY' state before it can be used.

Why this answer

The snapshot created is regional (stored in the same region as the source disk). To create a VM in a different region, the snapshot must be made available globally or copied to the target region. The command 'gcloud compute snapshots create' without '--storage-location' defaults to the multi-regional location of the source disk.

However, the snapshot can be used across regions if it is a global resource. But to create a VM in a different region directly, the snapshot must be accessible globally, which is the default. The issue is that the command used '--async' which returns immediately, and the user may not have waited for completion.

Additionally, the snapshot is not listed because it may not have completed. The correct approach would be to wait for the snapshot to complete before creating the VM.

7
Drag & Dropmedium

Drag and drop the steps to set up a VPC network peering between two projects in Google Cloud into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPC peering requires bidirectional connections; both sides must initiate peering. IP ranges must not overlap.

8
MCQeasy

A startup is building a web application that experiences unpredictable traffic spikes. They want a scalable solution that minimizes costs. Which Google Cloud service should they use to run their containerized application?

A.App Engine Standard Environment
B.Cloud Run for Anthos
C.Compute Engine with managed instance groups
D.Google Kubernetes Engine (GKE) with autoscaling
AnswerD

GKE provides automatic scaling of nodes and pods, ideal for containerized apps with spikes.

Why this answer

Google Kubernetes Engine (GKE) with autoscaling is the correct choice because it combines cluster autoscaling (which adjusts the number of nodes based on pod resource requests) with Horizontal Pod Autoscaling (which scales the number of pod replicas based on CPU/memory utilization or custom metrics). This dual-layer scaling handles unpredictable traffic spikes efficiently while minimizing costs by only provisioning resources when needed, and it is purpose-built for containerized applications.

Exam trap

The trap here is that candidates often choose Compute Engine with managed instance groups (Option C) because they think it is the most cost-effective, but they overlook that GKE's autoscaling is more granular (pod-level vs. VM-level) and reduces operational overhead for containerized workloads, making it the better choice for minimizing costs and handling unpredictable spikes.

How to eliminate wrong answers

Option A is wrong because App Engine Standard Environment runs applications in a sandboxed runtime (e.g., Java 8, Python 2.7) and does not support arbitrary containerized workloads; it requires code to conform to specific runtime constraints and does not allow custom Docker images. Option B is wrong because Cloud Run for Anthos is designed for running stateless containers on GKE clusters, but it adds unnecessary complexity and cost (Anthos licensing) for a simple web app that does not require hybrid/multi-cloud capabilities; GKE alone with autoscaling is more cost-effective. Option C is wrong because Compute Engine with managed instance groups can autoscale VMs, but it requires manual management of container orchestration (e.g., installing Docker, configuring load balancers) and lacks the native pod-level scaling and self-healing capabilities that GKE provides for containerized applications, leading to higher operational overhead and potential cost inefficiency.

9
MCQmedium

An organization has multiple Google Cloud projects that need to access a shared Cloud SQL database. The database should only be accessible from authorized projects. What is the most secure way to grant access?

A.Use Cloud SQL Proxy on each project's Compute Engine instances.
B.Configure the Cloud SQL instance with a private IP in a shared VPC and grant IAM roles to the authorized projects.
C.Expose the Cloud SQL instance on a public IP and authorize the IP ranges of the projects.
D.Set up a Cloud VPN between each project's VPC and the VPC hosting Cloud SQL.
AnswerB

Private IP and shared VPC provide a secure, internal network path with IAM controls.

Why this answer

Option B is correct because using a private IP in a shared VPC ensures that Cloud SQL is not exposed to the public internet, and IAM roles (e.g., roles/cloudsql.client) allow fine-grained access control at the project level. This approach leverages VPC peering or shared VPC to restrict network access exclusively to authorized projects, eliminating the need for public IPs or complex VPN configurations while maintaining high security.

Exam trap

The trap here is that candidates often confuse Cloud SQL Proxy (a secure tunnel tool) with a method for project-level authorization, when in fact it only provides encryption and IAM-based user authentication, not network-level restriction to specific projects.

How to eliminate wrong answers

Option A is wrong because Cloud SQL Proxy is a client-side tool that provides encrypted connections and IAM-based authentication, but it does not by itself restrict access to authorized projects; it still requires the Cloud SQL instance to have a public IP or be accessible via private networking, and it does not enforce project-level authorization. Option C is wrong because exposing Cloud SQL on a public IP and authorizing IP ranges is less secure; IP addresses can be spoofed or changed, and this approach relies on network-level controls rather than IAM-based project authorization, increasing the attack surface. Option D is wrong because setting up a Cloud VPN between each project's VPC and the VPC hosting Cloud SQL adds unnecessary complexity and cost; a shared VPC or VPC peering is more straightforward and provides the same private connectivity without the overhead of VPN tunnels.

10
MCQmedium

A company hosts a web application on Compute Engine behind a global HTTP(S) load balancer. They notice that some users experience high latency from certain regions. They want to improve performance without adding complexity. What should they do?

A.Add more instances in the same region
B.Use Premium Tier networking
C.Enable Cloud Armor
D.Enable Cloud CDN
AnswerD

Cloud CDN caches content at edge locations, reducing latency.

Why this answer

Option D is correct because enabling Cloud CDN caches content at Google's globally distributed edge caches, reducing latency for users in regions far from the origin Compute Engine instances. This directly addresses the high-latency issue without adding complexity, as it requires no changes to the application architecture and is a simple configuration toggle on the load balancer backend bucket or backend service.

Exam trap

The trap here is that candidates may confuse network optimization (Premium Tier) with content caching (CDN), assuming that faster routing alone solves geographic latency, but only caching eliminates the need for long-distance round trips.

How to eliminate wrong answers

Option A is wrong because adding more instances in the same region does not reduce latency for users in distant regions; it only increases capacity within that region, leaving cross-continental network hops unchanged. Option B is wrong because Premium Tier networking improves routing performance by using Google's global fiber network, but it does not cache content; it still requires a full round trip to the origin for every request, so it does not eliminate latency from geographic distance. Option C is wrong because Cloud Armor provides security protections like DDoS mitigation and WAF rules; it does not cache or accelerate content delivery, so it has no effect on latency for static or cacheable responses.

11
MCQhard

A company is migrating a monolithic application to Google Cloud. The application consists of a stateful service that writes to local disk and a stateless web server. They want to minimize changes to the code. Which architecture should they use?

A.Run the entire application on Cloud Run and use Cloud Filestore for shared state
B.Use App Engine Flexible Environment for the web server and Cloud SQL for state
C.Refactor the application into microservices and deploy on GKE with StatefulSets
D.Lift and shift to Compute Engine instances with persistent disks for stateful service
AnswerD

Minimal code changes, uses persistent disks for state.

Why this answer

Option D is correct because it represents a lift-and-shift migration that minimizes code changes by running the monolithic application on Compute Engine instances. The stateful service can use persistent disks for local disk writes, while the stateless web server runs on the same or separate instances, preserving the existing architecture without refactoring.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing cloud-native options (like Cloud Run or GKE) that require code changes, ignoring the explicit requirement to minimize changes and the suitability of a simple lift-and-shift with persistent disks.

How to eliminate wrong answers

Option A is wrong because Cloud Run is stateless and does not support local disk writes; Cloud Filestore is a network file system that would require code changes to replace local disk I/O. Option B is wrong because App Engine Flexible Environment does not support local disk writes for stateful services, and migrating to Cloud SQL would require significant code changes to replace local disk-based state. Option C is wrong because refactoring into microservices and using GKE with StatefulSets contradicts the requirement to minimize code changes, as it requires substantial application restructuring.

12
MCQhard

Refer to the exhibit. A subnet was created with the `--enable-private-ip-google-access` flag. What does this flag enable for instances in this subnet?

A.Instances can use direct peering to connect to on-premises networks.
B.Instances automatically receive internal DNS names for Google services.
C.Instances can access Google APIs and services without requiring an external IP address.
D.Instances can route traffic to the internet through a Cloud NAT gateway.
AnswerC

This is the purpose of Private Google Access: it enables private IP VMs to reach Google services via the Google network.

Why this answer

The `--enable-private-ip-google-access` flag allows VM instances in a subnet to reach Google APIs and services (such as Cloud Storage, BigQuery, and Cloud Pub/Sub) using only their internal (private) IP addresses, without needing an external IP address. This works by routing traffic through Google's internal network to the Google Front End (GFE), bypassing the public internet.

Exam trap

Google Cloud often tests the distinction between private Google access (which only covers Google APIs and services) and Cloud NAT (which provides outbound internet access for private instances), leading candidates to confuse the two or assume private Google access enables general internet connectivity.

How to eliminate wrong answers

Option A is wrong because direct peering to on-premises networks is enabled by setting up a dedicated interconnect or partner interconnect, not by the `--enable-private-ip-google-access` flag. Option B is wrong because internal DNS names for Google services are automatically provided by the Cloud DNS service for resources within the VPC, not by this subnet-level flag. Option D is wrong because routing traffic to the internet through a Cloud NAT gateway is a separate configuration that requires a Cloud NAT resource and a router, and it is not enabled by this flag; the flag specifically enables access to Google APIs and services, not general internet access.

13
MCQeasy

You need to store object data that is accessed infrequently (once a quarter) but must be retained for 10 years for compliance. Which storage class is the most cost-effective?

A.Archive
B.Standard
C.Nearline
D.Coldline
AnswerA

Archive is for data accessed less than once a year.

Why this answer

Archive storage class is the most cost-effective for data accessed once a quarter and retained for 10 years because it offers the lowest storage cost among Google Cloud Storage classes, designed for long-term preservation with retrieval times in minutes (typically under 15 minutes). The infrequent access pattern (once per quarter) aligns with Archive's trade-off of higher retrieval costs and minimum storage duration of 365 days, which is easily met by the 10-year retention requirement.

Exam trap

Google Cloud often tests the misconception that Coldline is the cheapest storage class, but Archive is actually the lowest-cost option for data with access intervals greater than 90 days and a retention period exceeding 365 days.

How to eliminate wrong answers

Option B (Standard) is wrong because it is optimized for frequently accessed data with no minimum storage duration and higher per-GB storage costs, making it unnecessarily expensive for quarterly access over 10 years. Option C (Nearline) is wrong because it is designed for data accessed less than once a month, with a 30-day minimum storage duration, but its storage cost is higher than Archive and it does not provide the lowest cost for data accessed only once a quarter. Option D (Coldline) is wrong because it is intended for data accessed less than once every 90 days, with a 90-day minimum storage duration, but its storage cost is still higher than Archive, which is the most cost-effective for data accessed as infrequently as once per quarter.

14
MCQhard

Refer to the exhibit. A security team wants to ensure that the service account 'sa-compute' can only be used by the instance admin role. Currently, any user with 'iam.serviceAccountUser' on the project can impersonate it. Which change should be made to the policy?

A.Add a condition to the 'roles/iam.serviceAccountUser' binding that restricts access to only the instance admin.
B.Modify the project policy to change the 'roles/iam.serviceAccountUser' member to 'user:developer@example.com'.
C.Remove the 'roles/iam.serviceAccountUser' binding from the project policy and add a resource-level policy on the service account granting 'roles/iam.serviceAccountUser' only to 'developer@example.com'.
D.Create a new custom role that combines 'roles/compute.instanceAdmin.v1' and 'roles/iam.serviceAccountUser' and assign it to 'developer@example.com'.
AnswerC

Correct: This restricts the ability to impersonate the service account to only the developer, not everyone with the project-level role.

Why this answer

The exhibit shows a project-level IAM policy. The service account 'sa-compute' is granted 'roles/iam.serviceAccountUser' at the project level, meaning any user with that role on the project can impersonate it. To restrict usage, the policy should grant 'roles/iam.serviceAccountUser' on the service account itself to only specific users, not at the project level.

The correct approach is to remove the project-level binding and add a resource-level policy on the service account.

15
MCQhard

A financial services company is designing a multi-region application on Google Kubernetes Engine (GKE) for high availability. They need to serve user requests from the closest region and automatically failover if a region becomes unavailable. Which architecture should they use?

A.Use a global external HTTP(S) load balancer with a single backend service pointing to one regional cluster.
B.Use Cloud CDN in front of a single regional GKE cluster to cache content.
C.Use a single regional GKE cluster with auto-scaling across zones.
D.Deploy GKE clusters in multiple regions and use a multicluster ingress with an external HTTP(S) load balancer set up with the global external backend.
AnswerD

This architecture uses the Global External HTTP(S) Load Balancer with multicluster ingress to direct traffic to the nearest healthy cluster, providing geographic load balancing and failover.

Why this answer

Option D is correct because deploying GKE clusters in multiple regions and using a multicluster ingress with a global external HTTP(S) load balancer enables traffic routing to the closest healthy backend cluster based on latency or geography, and automatically fails over to another region if one becomes unavailable. The global external backend configuration allows the load balancer to distribute traffic across multiple regional GKE clusters, providing both proximity-based routing and high availability.

Exam trap

The trap here is that candidates often confuse zonal high availability (auto-scaling across zones within one region) with regional high availability (multi-region failover), and overlook that a global load balancer with multiple regional backends is required for true multi-region traffic steering and failover.

How to eliminate wrong answers

Option A is wrong because a single backend service pointing to one regional cluster cannot provide multi-region failover or route users to the closest region; it only supports a single region. Option B is wrong because Cloud CDN caches content but does not provide active failover or multi-region traffic steering; it only reduces latency for cached content from a single origin. Option C is wrong because a single regional GKE cluster with auto-scaling across zones provides zonal high availability within one region but cannot serve requests from the closest region or failover to another region if the entire region becomes unavailable.

16
MCQmedium

A data analytics company runs nightly batch jobs using Compute Engine instances. The jobs can tolerate interruptions, and the company wants to minimize costs. What should they do?

A.Use preemptible VMs for the batch jobs.
B.Use C2 high-CPU machine types for faster processing.
C.Use standard (on-demand) VMs and commit to a 1-year resource-based commitment.
D.Deploy VMs on Sole-tenant nodes for cost isolation.
AnswerA

Preemptible VMs cost much less than standard VMs and can be interrupted, acceptable for batch jobs that are checkpointed.

Why this answer

Preemptible VMs (now called Spot VMs) are Compute Engine instances that last up to 24 hours and can be terminated at any time by Google Cloud. Because the batch jobs are interruptible, using preemptible VMs reduces compute costs by up to 60-91% compared to standard on-demand VMs, directly meeting the goal of minimizing costs.

Exam trap

The trap here is that candidates may confuse preemptible VMs with standard VMs and assume they are unreliable for any workload, but the question explicitly states the jobs can tolerate interruptions, making preemptible VMs the correct cost-saving choice.

How to eliminate wrong answers

Option B is wrong because C2 high-CPU machine types are optimized for compute-intensive workloads, not for cost minimization; they are more expensive per hour than standard machine types and do not address the interruptible nature of the jobs. Option C is wrong because committing to a 1-year resource-based commitment locks the company into a fixed cost for on-demand VMs, which is more expensive than preemptible VMs and unnecessary for interruptible batch jobs that do not require guaranteed availability. Option D is wrong because Sole-tenant nodes provide hardware isolation for compliance or licensing needs, not cost reduction; they actually increase costs due to premium pricing for dedicated hardware.

17
MCQeasy

A media streaming company is deploying a new video transcoding pipeline on Google Cloud. The pipeline receives raw video files uploaded to Cloud Storage, triggers a Cloud Function that submits transcoding jobs to a Compute Engine worker pool, and stores the transcoded output in another Cloud Storage bucket. The workers are managed by a managed instance group (MIG) running a custom container image. Currently, when there is a spike in uploads, the MIG takes 5-7 minutes to scale up new workers, causing processing delays. The architect needs to reduce the time to add new workers to under 2 minutes. The workers are stateless and the container image is about 2 GB. What should the architect do?

A.Use Cloud Run instead of Compute Engine to run the transcoding workers
B.Increase the minimum number of instances in the MIG to 10
C.Replace the Compute Engine workers with Cloud Functions to handle the transcoding
D.Create a custom Compute Engine image that includes the container runtime and pre-pulled container
AnswerD

A custom image with the container already pulled reduces boot time as the image does not need to be downloaded.

Why this answer

Option D is correct because creating a custom Compute Engine image that includes the container runtime and pre-pulls the 2 GB container image eliminates the need to download the image during scale-up. This reduces the instance startup time from 5-7 minutes to under 2 minutes, as the container is already cached locally on the image, bypassing the network pull delay.

Exam trap

The trap here is that candidates may assume increasing the minimum instance count (Option B) solves the scaling delay, but it only pre-provisions a fixed number of instances and does not address the startup latency for additional instances beyond that baseline.

How to eliminate wrong answers

Option A is wrong because Cloud Run has a maximum request timeout of 60 minutes and is designed for stateless HTTP-triggered workloads, not for long-running, resource-intensive video transcoding jobs that require GPU or high CPU. Option B is wrong because increasing the minimum number of instances to 10 does not reduce the time to add new workers; it only ensures a baseline of running instances, but scaling up beyond that still incurs the same 5-7 minute delay due to container image pull. Option C is wrong because Cloud Functions have a maximum execution timeout of 9 minutes and limited memory/CPU, making them unsuitable for transcoding large video files, which often require sustained compute and storage access.

18
Drag & Dropmedium

Drag and drop the steps to recover a Cloud SQL instance from a backup into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Restoring to an existing instance may overwrite data; best practice is to restore to a new instance.

19
Multi-Selecthard

A company is migrating a legacy on-premises application to Google Cloud. The application has strict low-latency requirements between its components and requires stateful TCP sessions. Which TWO design decisions should the architect recommend?

Select 2 answers
A.Use regional managed instance groups with internal load balancing.
B.Use Cloud NAT for outbound connectivity.
C.Use global load balancing with Cloud CDN.
D.Use Cloud VPN for on-premises connectivity.
E.Place all components in the same VPC network.
AnswersA, E

Supports session affinity and preserves source IP for stateful protocols.

Why this answer

Options B and D are correct. Placing all components in the same VPC network minimizes latency by leveraging Google's internal network, and avoids SNAT issues that could break stateful sessions. Using regional managed instance groups with internal load balancing preserves source IP and supports session affinity, which is essential for stateful TCP.

Option A is incorrect because global load balancing and Cloud CDN are optimized for web content, not stateful low-latency inter-component traffic. Option C is incorrect because Cloud NAT is used for outbound internet access and would break stateful sessions. Option E is incorrect because Cloud VPN connects on-premises to GCP, but does not directly address low-latency between cloud components.

20
MCQmedium

Refer to the exhibit. A Cloud Storage bucket has this IAM policy. What security recommendation should be made?

A.Remove the `allUsers` member and use signed URLs for public access.
B.Change `allUsers` to `allAuthenticatedUsers` to allow only authenticated users.
C.Enable uniform bucket-level access and update the IAM policy.
D.Remove the `roles/storage.objectViewer` role binding entirely.
AnswerA

Signed URLs provide controlled, temporary access without making the bucket publicly accessible.

Why this answer

The IAM policy grants `roles/storage.objectViewer` to `allUsers`, which makes the bucket's objects publicly readable by anyone on the internet. This is a security risk because it allows anonymous access without authentication or logging. The recommended practice is to remove the `allUsers` member and instead use signed URLs (which embed a time-limited access token) to grant temporary, controlled access to specific objects.

Exam trap

Google Cloud often tests the misconception that `allAuthenticatedUsers` is a secure alternative to `allUsers`, but the trap is that it still allows any authenticated identity (including attackers) to access the data, whereas signed URLs provide granular, revocable, and auditable access.

How to eliminate wrong answers

Option B is wrong because changing `allUsers` to `allAuthenticatedUsers` still allows any authenticated Google account (including attackers with a free account) to read the objects, which does not provide fine-grained access control and still exposes the data broadly. Option C is wrong because enabling uniform bucket-level access only ensures that all access is governed by IAM policies rather than ACLs, but it does not address the underlying problem of granting public access via `allUsers`. Option D is wrong because simply removing the role binding without replacing it with a secure access method (like signed URLs) would break all access to the objects, which is not a security recommendation but a denial of service.

21
MCQeasy

A small startup wants to deploy a containerized web application that scales automatically and only charges for resources used. They have limited operational experience. Which compute solution should they choose?

A.App Engine Standard Environment with a custom runtime.
B.Google Kubernetes Engine (GKE) with a multi-node pool.
C.Compute Engine with a managed instance group.
D.Cloud Run (fully managed).
AnswerD

Cloud Run manages scaling, and billing is based on request count and duration, ideal for startups with variable traffic.

Why this answer

Cloud Run is a fully managed serverless platform for containers that scales to zero and charges per request. Option A is wrong because GKE requires cluster management. Option B is wrong because App Engine Standard is for specific runtimes, not custom containers.

Option D is wrong because Compute Engine requires provisioning and scaling management.

22
MCQmedium

A company is designing a multi-region architecture for disaster recovery. Their primary region is us-central1 and they want a warm standby in another region. The application runs on Compute Engine with a stateful backend. Which approach minimizes RTO while keeping costs reasonable?

A.Use Cloud SQL cross-region replication and start Compute Engine instances on failover
B.Use a managed instance group in the secondary region with persistent disk snapshots and Cloud Load Balancing failover
C.Replicate the application to Cloud Run in the secondary region
D.Set up a managed instance group with instance templates in the secondary region without pre-provisioned instances
AnswerB

This provides warm standby with data replicated via snapshots.

Why this answer

Option B minimizes RTO by pre-provisioning Compute Engine instances in the secondary region via a managed instance group, using persistent disk snapshots for stateful data. This warm standby approach keeps instances ready to serve traffic with minimal startup delay, while Cloud Load Balancing failover automatically redirects traffic on primary region failure, balancing cost and recovery speed.

Exam trap

Google Cloud often tests the distinction between warm and cold standby by making candidates think that database replication alone (Option A) or serverless migration (Option C) meets the warm standby requirement, but they fail to address the stateful Compute Engine backend's need for pre-provisioned compute capacity and persistent disk state synchronization.

How to eliminate wrong answers

Option A is wrong because Cloud SQL cross-region replication provides database redundancy, but starting Compute Engine instances on failover introduces significant RTO due to instance boot time and application initialization, making it a cold standby rather than warm. Option C is wrong because Cloud Run is a serverless platform that does not support stateful backends with persistent disks or warm standby configurations, and it cannot directly replicate a stateful Compute Engine application without significant refactoring. Option D is wrong because a managed instance group without pre-provisioned instances means no instances are running in the secondary region, resulting in a cold standby with high RTO from instance creation and boot time, failing the warm standby requirement.

23
MCQmedium

A financial services company requires that all data stored in Cloud Storage be encrypted with keys they manage, rotate, and audit. They also need to enforce encryption at the bucket level. Which configuration should they use?

A.Use default Google-managed encryption
B.Use Cloud KMS with customer-managed encryption keys (CMEK)
C.Use customer-supplied encryption keys (CSEK)
D.Enable CMEK at the bucket level with a Cloud KMS key
AnswerB

CMEK provides key rotation and audit through Cloud KMS.

Why this answer

Option B is correct because customer-managed encryption keys (CMEK) with Cloud KMS allow the company to manage, rotate, and audit their own encryption keys while enforcing encryption at the bucket level. This meets the requirement of controlling key lifecycle and auditing, as Cloud KMS integrates with Cloud Audit Logs for key usage tracking.

Exam trap

The trap here is that candidates confuse CSEK with CMEK, thinking CSEK provides key management and auditing, when in fact CSEK requires the client to supply the key per request and lacks rotation and audit capabilities at the bucket level.

How to eliminate wrong answers

Option A is wrong because default Google-managed encryption uses Google-owned keys that the customer cannot manage, rotate, or audit, failing the key control requirement. Option C is wrong because customer-supplied encryption keys (CSEK) require the client to provide the key with each API call and do not support key rotation or auditing at the bucket level; they are also not persistent and cannot be enforced as a bucket-level policy. Option D is wrong because CMEK is already enabled at the bucket level by specifying a Cloud KMS key; the phrasing 'Enable CMEK at the bucket level with a Cloud KMS key' is redundant and misleading—CMEK is the mechanism, not a separate toggle, and the correct configuration is to set the bucket's default encryption to a CMEK key.

24
MCQhard

Refer to the exhibit. An architect created a VM instance using the above command. After the instance starts, the architect tries to access the nginx default page from the internet but gets a timeout. What is the most likely reason?

A.The VM is in a subnet without a Cloud NAT
B.The firewall rule allowing HTTP traffic is missing
C.The startup script failed to install nginx
D.The VM was created without an external IP address
AnswerD

The 'no-address' flag omits the external IP, making the VM unreachable from the internet.

Why this answer

The most likely reason for the timeout is that the VM was created without an external (public) IP address. Without an external IP, the VM is not directly reachable from the internet, even if nginx is running and firewall rules allow HTTP traffic. The timeout occurs because the internet has no route to the VM's private IP address.

Exam trap

Google Cloud often tests the distinction between connectivity failures caused by missing firewall rules (which produce connection refused or dropped packets) versus missing external IP addresses (which produce timeouts because the host is unreachable).

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used for outbound internet access from private VMs, not for inbound access from the internet; inbound traffic requires an external IP or a load balancer. Option B is wrong because even if a firewall rule allowing HTTP traffic exists, it cannot help if the VM has no external IP to receive the traffic from the internet. Option C is wrong because a failed nginx installation would result in a connection refused error, not a timeout; a timeout indicates the packet never reached the VM at all.

25
MCQhard

The exhibit shows a command to create a Compute Engine instance. The instance is intended to run a web server that needs to access Cloud Storage buckets using its service account. However, the web server fails to read from a storage bucket. What is the most likely cause?

A.The service account is not attached to the instance
B.The tags http-server and https-server block outbound traffic
C.The boot disk type is SSD, which is not compatible with Cloud Storage
D.The service account lacks IAM permissions to read from Cloud Storage
AnswerD

Cloud Platform scope grants access, but IAM permissions on the bucket are missing.

Why this answer

Option A is correct because the scopes=cloud-platform grants all cloud API scopes, but authentication may fail if the service account does not have the proper IAM permissions (e.g., storage.objectViewer). Option B is wrong because pd-ssd is fine. Option C is wrong because the tags are for firewall rules, not storage access.

Option D is wrong because the SA is specified.

26
MCQhard

A company has a Cloud SQL for PostgreSQL instance with high read traffic. They want to offload read queries without modifying the application. Which strategy should they implement?

A.Increase the machine type of the primary instance
B.Implement a caching layer using Memorystore
C.Create read replicas and configure the application to use them
D.Migrate to Cloud Spanner for better scalability
AnswerC

Read replicas offload reads without app changes.

Why this answer

Creating read replicas in Cloud SQL for PostgreSQL allows you to offload read traffic from the primary instance without modifying the application, because the replicas are fully managed and can serve read queries directly. The application can be configured to point to the read replica's endpoint, which handles SELECT statements while the primary continues to handle writes. This is the most direct and cost-effective solution for high read traffic when application changes are not permitted.

Exam trap

Google Cloud often tests the misconception that caching (Memorystore) is the only way to offload reads, but the key constraint here is 'without modifying the application,' which eliminates caching because it requires application-level cache integration.

How to eliminate wrong answers

Option A is wrong because increasing the machine type of the primary instance only scales vertically, which does not offload read queries—it simply gives the same instance more resources, and the application still sends all traffic to a single endpoint. Option B is wrong because implementing a caching layer using Memorystore would require modifying the application to check the cache before querying the database, which violates the requirement of not modifying the application. Option D is wrong because migrating to Cloud Spanner is a significant architectural change that requires application modifications (e.g., using Spanner-specific client libraries and handling strong consistency differently), and it is overkill for simply offloading read traffic.

27
MCQhard

A financial services company is designing a multi-region disaster recovery architecture for a critical application. The application runs on Compute Engine with a stateful backend using Cloud Spanner. The Recovery Time Objective (RTO) is 1 hour, and the Recovery Point Objective (RPO) is 15 minutes. What architecture meets these requirements cost-effectively?

A.Deploy the application in two regions with active-active traffic load balancing and Cloud Spanner multi-region configuration.
B.Deploy in one region with scheduled snapshots to Cloud Storage and use persistent disk snapshots for recovery.
C.Deploy in two regions with active-passive using Cloud Load Balancing and Cloud Spanner backup/restore.
D.Use a single region with Cloud SQL for PostgreSQL and enable cross-region replication using Cloud SQL replica.
AnswerA

Cloud Spanner multi-region provides synchronous replication with RPO < 15 min and automatic failover meets RTO.

Why this answer

Option A is correct because it uses Cloud Spanner's multi-region configuration, which provides synchronous replication across regions with automatic failover, meeting an RPO of 15 minutes (typically seconds) and an RTO of 1 hour. Active-active traffic load balancing with Compute Engine ensures that the application can immediately route traffic to the healthy region, minimizing downtime without the need for manual failover or backup/restore operations.

Exam trap

The trap here is that candidates often confuse Cloud Spanner's backup/restore (asynchronous, slow) with its multi-region configuration (synchronous, fast), or assume that active-passive with backups can meet low RTO/RPO when in reality only synchronous replication can achieve sub-minute RPO and automatic failover.

How to eliminate wrong answers

Option B is wrong because scheduled snapshots to Cloud Storage and persistent disk snapshots are asynchronous and can take longer than 15 minutes to capture, potentially exceeding the RPO; also, recovery from snapshots involves manual steps that likely exceed the 1-hour RTO. Option C is wrong because Cloud Spanner backup/restore is an asynchronous process that can take hours to restore a database, far exceeding the 1-hour RTO, and active-passive setups introduce failover delays that may not meet the RTO. Option D is wrong because Cloud SQL for PostgreSQL with cross-region replication uses asynchronous replication, which can result in data loss exceeding the 15-minute RPO, and Cloud SQL does not support the same multi-region synchronous replication capabilities as Cloud Spanner.

28
Multi-Selecthard

A financial services company is designing a multi-tier application on Google Cloud. The application must meet PCI DSS compliance, with data encrypted at rest and in transit. They plan to use Cloud SQL for PostgreSQL for transactional data and Cloud Storage for archival data. Which TWO actions should the architect take to meet compliance requirements?

Select 2 answers
A.Configure client-side encryption in the application code
B.Rely on Google-managed default encryption for all data
C.Enable customer-managed encryption keys (CMEK) on Cloud SQL and Cloud Storage
D.Use VPC Service Controls to restrict data access
E.Use Cloud HSM with a key generated outside of Google Cloud
AnswersC, D

CMEK provides control over key management required for PCI DSS.

Why this answer

Option C is correct because enabling CMEK on Cloud SQL and Cloud Storage allows the company to use their own encryption keys, which is often required by PCI DSS to demonstrate control over key management. CMEK ensures data at rest is encrypted with keys managed via Cloud KMS, providing auditability and separation of duties beyond Google-managed default encryption.

Exam trap

The trap here is that candidates often assume Google-managed default encryption is sufficient for PCI DSS, but the exam tests the nuance that many compliance frameworks require customer-managed keys (CMEK) to demonstrate control over the encryption process, not just encryption itself.

29
MCQeasy

A company wants to restrict access to a Cloud Storage bucket so that only a specific service account can read objects. The bucket contains sensitive data. Which identity and access management (IAM) approach should the architect use?

A.Grant the service account roles/iam.serviceAccountUser on the bucket.
B.Use a signed URL to allow access for the service account.
C.Grant the service account roles/storage.admin on the bucket.
D.Grant the service account roles/storage.objectViewer on the bucket and remove all other bindings.
AnswerD

This restricts read access to only the service account.

Why this answer

Option D is correct because the principle of least privilege dictates that the service account should be granted only the minimal permissions required to read objects, which is roles/storage.objectViewer. By removing all other bindings, the bucket becomes accessible exclusively to that service account, ensuring that no other identities (users, groups, or other service accounts) can read the sensitive data. This approach directly enforces the requirement using IAM roles on the bucket resource.

Exam trap

Google Cloud often tests the misconception that granting a broad role like roles/storage.admin is acceptable for simplicity, but the trap here is that candidates overlook the principle of least privilege and the specific read-only requirement, leading them to choose an overly permissive role.

How to eliminate wrong answers

Option A is wrong because roles/iam.serviceAccountUser grants permission to impersonate the service account (e.g., to run jobs as that account), not to read objects from a Cloud Storage bucket; it does not provide any storage access. Option B is wrong because signed URLs are used to grant temporary access to specific objects for any user (including non-Google accounts) via a cryptographic signature, not to restrict access to a specific service account; they are not an IAM-based access control mechanism. Option C is wrong because roles/storage.admin grants full control over the bucket, including the ability to delete objects and modify bucket metadata, which violates the principle of least privilege and exceeds the read-only requirement.

30
MCQeasy

A company is migrating a legacy monolithic application to Google Cloud. The application currently runs on a single on-premises server and uses a local MySQL database. The company wants to minimize changes to the application code while improving scalability and reliability. Which migration strategy should the architect recommend?

A.Refactor the application into microservices and deploy on Google Kubernetes Engine.
B.Rehost the application on Compute Engine and use Cloud SQL for MySQL as the database.
C.Containerize the application with Docker and run it on Cloud Run.
D.Migrate the database to Firestore and rewrite the application to use Firestore APIs.
AnswerB

Rehosting on Compute Engine with Cloud SQL minimizes changes and improves scalability and reliability.

Why this answer

Option B is correct because rehosting (lift-and-shift) the monolithic application to Compute Engine with Cloud SQL for MySQL minimizes code changes while improving scalability and reliability. Cloud SQL provides managed MySQL with automated backups, replication, and failover, addressing the need for reliability without requiring application refactoring.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing containerization or microservices, forgetting that the primary constraint is minimizing code changes, not modernizing the architecture.

How to eliminate wrong answers

Option A is wrong because refactoring into microservices and deploying on GKE introduces significant code changes and complexity, contradicting the requirement to minimize changes. Option C is wrong because containerizing with Docker and running on Cloud Run requires the application to be stateless and HTTP-driven, which a legacy monolithic app with a local MySQL database typically is not; Cloud Run also does not support stateful workloads or persistent MySQL connections natively. Option D is wrong because migrating to Firestore and rewriting the application to use Firestore APIs requires substantial code changes and a shift from SQL to NoSQL, violating the minimize-changes constraint.

31
MCQmedium

A company is migrating an on-premises PostgreSQL database to Cloud SQL with minimal downtime. The database is 1 TB and the network link has 500 Mbps bandwidth. Which migration approach is most appropriate?

A.Set up a Compute Engine instance with PostgreSQL replication and switch over.
B.Use BigQuery Data Transfer Service to replicate data.
C.Export the database as a SQL dump, transfer it to Cloud Storage, and import into Cloud SQL.
D.Use Database Migration Service to perform continuous replication and then promote Cloud SQL.
AnswerD

Database Migration Service supports continuous replication from on-premises to Cloud SQL with minimal downtime.

Why this answer

Database Migration Service (DMS) supports continuous replication from on-premises PostgreSQL to Cloud SQL using native PostgreSQL logical replication (pglogical or native publication/slot). This allows near-zero downtime by keeping the target in sync until promotion, which is ideal for a 1 TB database over a 500 Mbps link where a full dump/restore would take hours.

Exam trap

Google Cloud often tests the misconception that a simple dump-and-import (Option C) is acceptable for large databases, but the trap here is ignoring the 'minimal downtime' requirement, which demands a continuous replication solution like DMS rather than a batch export/import.

How to eliminate wrong answers

Option A is wrong because setting up a Compute Engine instance with PostgreSQL replication requires manual configuration of replication slots, failover scripts, and does not integrate with Cloud SQL's managed service, adding operational overhead and risk. Option B is wrong because BigQuery Data Transfer Service is designed for loading data into BigQuery, not for replicating PostgreSQL databases to Cloud SQL; it cannot perform continuous replication or handle transactional consistency. Option C is wrong because exporting a 1 TB database as a SQL dump and transferring it over a 500 Mbps link would take approximately 4.5 hours (1 TB * 8 / 500 Mbps) plus import time, causing significant downtime, and it does not support continuous replication for minimal downtime.

32
Multi-Selecthard

A company wants to deploy a stateful application with strict low-latency requirements across multiple zones in a single region. They need to minimize inter-zone latency. Which THREE actions should they take? (Choose 3)

Select 3 answers
A.Place application instances in the same zone to minimize network hops
B.Use zonal SSD persistent disks
C.Deploy instances in a managed instance group across multiple zones
D.Use a regional internal TCP/UDP load balancer
E.Use Dedicated Interconnect for on-premises connection
AnswersA, B, D

Same zone reduces latency.

Why this answer

Option A is correct because placing all application instances in the same zone eliminates cross-zone network hops, which directly reduces inter-zone latency to near zero. For a stateful application with strict low-latency requirements, this co-location ensures that traffic between instances stays within a single failure domain, avoiding the additional latency introduced by traversing zone boundaries.

Exam trap

The trap here is that candidates often assume multi-zone deployment is always required for high availability, but the question explicitly prioritizes minimizing inter-zone latency, making same-zone placement the correct choice despite the trade-off in fault tolerance.

33
MCQmedium

A company is migrating on-premises workloads to Google Cloud. They have a critical application that requires consistent low-latency access to a database, with read replicas in multiple regions for disaster recovery. The application is expected to grow by 10x over the next year. Which database service and configuration should the architect choose to meet these requirements?

A.Use Cloud Bigtable with multi-region replication
B.Use Cloud SQL for PostgreSQL with cross-region read replicas
C.Use Cloud Spanner with multi-region configuration
D.Use Firestore in native mode with multi-region location
AnswerC

Cloud Spanner offers global strong consistency, automatic replication, and horizontal scalability.

Why this answer

Cloud Spanner with a multi-region configuration is the correct choice because it provides strong global consistency, low-latency reads and writes across regions, and automatic horizontal scaling to handle a 10x growth in workload. Its multi-region replication ensures synchronous replication for disaster recovery while maintaining ACID transactions, which is critical for a database requiring consistent low-latency access.

Exam trap

The trap here is that candidates often confuse Cloud Spanner's multi-region capabilities with simpler replication options like Cloud SQL read replicas or Bigtable's eventual consistency, failing to recognize that only Spanner provides strong global consistency and horizontal scaling for transactional workloads.

How to eliminate wrong answers

Option A is wrong because Cloud Bigtable is a NoSQL wide-column database designed for high-throughput analytical workloads, not for transactional applications requiring strong consistency and low-latency access to a single database; its multi-region replication is asynchronous and does not guarantee strong consistency. Option B is wrong because Cloud SQL for PostgreSQL supports cross-region read replicas, but the primary database is single-region and cannot scale horizontally to handle a 10x growth; read replicas are asynchronous and do not provide strong consistency for writes, making it unsuitable for a critical application requiring consistent low-latency access. Option D is wrong because Firestore in native mode is a NoSQL document database with eventual consistency by default (unless using transactions) and does not support the strong global consistency and horizontal scaling needed for a relational database workload with 10x growth; its multi-region location provides replication but not the ACID transactional guarantees required.

34
MCQmedium

A startup is developing a real-time analytics dashboard that ingests data from IoT devices. The data volume is unpredictable but can spike to millions of events per second. The dashboard must display near real-time aggregations with sub-second latency. Which Google Cloud architecture should the architect recommend?

A.Ingest via Cloud IoT Core directly to Cloud Bigtable, then query with BigQuery.
B.Ingest via Cloud Pub/Sub, process with Cloud Dataproc, store in Cloud Storage, and query with BigQuery.
C.Ingest via Cloud Pub/Sub, store raw data in Cloud Storage, and use Cloud SQL for aggregations.
D.Ingest via Cloud Pub/Sub, process with Cloud Dataflow, store in Cloud Bigtable, and query from the dashboard.
AnswerD

This combination handles high ingest rates, stream processing, and low-latency queries.

Why this answer

Option D is correct because Cloud Pub/Sub provides scalable, asynchronous ingestion for unpredictable IoT data spikes, Cloud Dataflow enables stream processing for near real-time aggregations with sub-second latency, and Cloud Bigtable offers low-latency, high-throughput storage ideal for serving aggregated results directly to a dashboard. This combination meets the requirements of unpredictable volume, real-time processing, and low-latency queries.

Exam trap

The trap here is that candidates often choose batch-oriented services like BigQuery or Dataproc for real-time requirements, overlooking that Cloud Dataflow's stream processing and Cloud Bigtable's low-latency storage are specifically designed for sub-second, high-throughput dashboard use cases.

How to eliminate wrong answers

Option A is wrong because Cloud IoT Core directly to Cloud Bigtable lacks a buffering layer for unpredictable spikes, and BigQuery is not designed for sub-second query latency on real-time dashboards. Option B is wrong because Cloud Dataproc is batch-oriented and introduces higher latency for stream processing, and Cloud Storage with BigQuery adds significant query latency unsuitable for sub-second dashboard responses. Option C is wrong because Cloud SQL cannot handle millions of events per second for real-time aggregations and lacks native stream processing capabilities.

35
MCQeasy

A company is migrating to Google Cloud and needs to connect their on-premises network to a VPC. They require high bandwidth and a reliable connection with a Service Level Agreement (SLA). Which solution should they choose?

A.Cloud VPN with dynamic routing
B.Dedicated Interconnect
C.Partner Interconnect via a service provider
D.Direct Peering
AnswerB

Dedicated Interconnect offers high bandwidth and an SLA.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between your on-premises network and Google's network, offering high bandwidth (10 or 100 Gbps per link) and a 99.99% uptime SLA when configured with redundant links. This meets the requirements for high bandwidth and a reliable, SLA-backed connection better than any other option.

Exam trap

The trap here is that candidates often confuse Partner Interconnect with Dedicated Interconnect, assuming any 'Interconnect' offers an SLA, but only Dedicated Interconnect provides a direct physical link with a 99.99% SLA, while Partner Interconnect's SLA depends on the partner's network and is typically lower.

How to eliminate wrong answers

Option A is wrong because Cloud VPN uses the public internet with IPsec tunnels, offering no SLA and limited bandwidth (typically up to 3 Gbps per tunnel), making it unsuitable for high-bandwidth, SLA-backed requirements. Option C is wrong because Partner Interconnect relies on a third-party service provider's network, which may introduce additional latency and does not provide the same direct, dedicated SLA as Dedicated Interconnect; it is designed for cases where a direct physical connection is not feasible. Option D is wrong because Direct Peering is a non-SLA, best-effort connection established via public exchange points, intended for traffic exchange with Google services, not for dedicated, SLA-backed connectivity to a VPC.

36
MCQmedium

The exhibit shows a Cloud Storage bucket IAM policy. A developer (admin@example.com) wants to upload a file to the bucket but gets a permission denied error. What is the most likely reason?

A.An organization policy denies all write operations
B.The developer is not a member of the project
C.The service account my-sa overrides the developer's permissions
D.The developer is assigned only the objectViewer role
AnswerD

objectViewer cannot write.

Why this answer

Option C is correct because the developer only has roles/storage.objectViewer (read-only), not write access. Option A is wrong because there is no explicit deny. Option B is wrong because the service account has admin, but that doesn't affect the user.

Option D is wrong because the user is included.

37
Multi-Selecthard

A company is planning a hybrid cloud architecture using Anthos to manage workloads across on-premises data centers and Google Cloud. They need to select two key components that enable consistent configuration, policy, and security across environments. Which two should they choose?

Select 2 answers
A.Cloud Interconnect
B.GKE on-prem
C.Cloud Build
D.Config Sync
E.Cloud Load Balancing
AnswersB, D

GKE on-prem enables running Kubernetes clusters on-premises with the same API and tooling as GKE, enabling consistent workload management.

Why this answer

GKE on-prem (now Anthos clusters on bare metal or VMware) is correct because it provides a consistent Kubernetes platform that runs on-premises, enabling the same container orchestration, policy enforcement, and security controls as GKE in Google Cloud. Config Sync is correct because it continuously reconciles the desired state of cluster configurations from a Git repository, ensuring that policies, RBAC, and security settings remain identical across all Anthos clusters, whether on-prem or in the cloud.

Exam trap

The trap here is that candidates often confuse connectivity services (Cloud Interconnect) or traffic management (Cloud Load Balancing) with configuration and policy consistency, failing to recognize that Anthos relies on GitOps-based tools like Config Sync and the on-prem Kubernetes runtime (GKE on-prem) to achieve unified management.

38
MCQeasy

Refer to the exhibit. What is the primary benefit of the `--preemptible` flag in this command?

A.Significant cost reduction compared to standard instances.
B.Faster instance startup time due to optimized kernel.
C.Higher availability through automatic restart on failure.
D.Access to specialized hardware like GPUs at no extra cost.
AnswerA

Preemptible VMs cost about 60-90% less than standard VMs.

Why this answer

The `--preemptible` flag in Google Cloud Platform (GCP) creates preemptible VM instances, which are short-lived, cost-effective instances that can be terminated at any time by GCP. The primary benefit is a significant cost reduction—up to 60-91% lower than standard instances—making them ideal for batch jobs, fault-tolerant workloads, and non-critical tasks. This flag does not affect startup time, availability guarantees, or provide free access to specialized hardware.

Exam trap

Google Cloud often tests the misconception that `--preemptible` provides high availability or automatic restarts, when in reality it sacrifices availability for cost savings, and candidates may confuse it with managed instance groups or autohealing features.

How to eliminate wrong answers

Option B is wrong because the `--preemptible` flag does not optimize the kernel or affect instance startup time; startup time depends on the image and machine type, not the preemptible nature. Option C is wrong because preemptible instances have no automatic restart on failure—they are terminated after 24 hours or when capacity is needed, and they do not offer higher availability; in fact, they have lower availability than standard instances. Option D is wrong because preemptible instances do not provide access to specialized hardware like GPUs at no extra cost; GPUs are still billed separately, and preemptible instances with GPUs are subject to the same preemption risks and cost structure.

39
MCQhard

A company is migrating a critical on-premises application to Google Cloud. The application consists of a frontend web server that handles user requests and a backend database server that stores session state and processed data. The application is stateful because session data is stored in memory on the backend server. The company wants to minimize downtime during migration and ensure that the application can scale horizontally in the future. The current on-premises architecture has the web server and database server on separate physical machines. The web server communicates with the database server via a private network. The company expects that after migration, the application will need to handle double the current traffic. They also need to ensure that the architecture is resilient to zone failures within a single region. They are considering using Compute Engine for both the web and database servers, but they are open to other Google Cloud services. They have a requirement that the database must be relational and support ACID transactions. The database currently uses Microsoft SQL Server, but they are willing to migrate to a different database engine if it reduces operational overhead and provides better scalability. The team has limited experience with Google Cloud and wants to minimize architectural changes. Which course of action should the company take?

A.Refactor the application to be stateless. Migrate the web server to App Engine and the database to Cloud SQL for PostgreSQL. Use Cloud Memorystore for session state.
B.Migrate the web server to Compute Engine and the database to Cloud Spanner. Use a global load balancer for the web server and Spanner for transactional consistency.
C.Migrate the web server to Compute Engine with a managed instance group and internal load balancer. Migrate the database to Cloud SQL for SQL Server with high availability across zones.
D.Lift and shift both web and database servers to Compute Engine. Use a managed instance group with autoscaling for the web server and a standalone VM for the database. Configure persistent disks for data.
AnswerC

Minimizes changes, provides HA, scaling, and managed database.

Why this answer

Option C is correct because it preserves the existing stateful architecture by using Compute Engine with a managed instance group and internal load balancer for the web tier, and Cloud SQL for SQL Server with cross-zone high availability for the database. This minimizes architectural changes, supports horizontal scaling via the managed instance group, and provides zone-level resilience for the relational database with ACID transactions, meeting the requirement to handle double traffic while minimizing downtime.

Exam trap

The trap here is that candidates often choose a lift-and-shift option (D) thinking it minimizes changes, but they overlook the requirement for zone-level resilience, which a standalone VM cannot provide, or they incorrectly assume that Cloud Spanner (B) is the only option for ACID transactions at scale, ignoring that Cloud SQL for SQL Server meets the need with less complexity and no database engine migration.

How to eliminate wrong answers

Option A is wrong because refactoring the application to be stateless and using App Engine introduces significant architectural changes that the team wants to avoid, and Cloud Memorystore for session state adds complexity without addressing the requirement for a relational database with ACID transactions (Cloud SQL for PostgreSQL is relational, but the shift from SQL Server to PostgreSQL still requires migration effort). Option B is wrong because Cloud Spanner is a globally distributed, strongly consistent database that is overkill for a single-region workload and does not natively support SQL Server compatibility, requiring a full database migration; also, a global load balancer is unnecessary for a single-region deployment and adds latency. Option D is wrong because a standalone VM for the database lacks high availability across zones, failing the resilience requirement, and persistent disks alone do not provide the automated failover or managed backups that Cloud SQL offers, increasing operational overhead and downtime risk.

40
MCQhard

A company is building a real-time data pipeline that ingests events from IoT devices, processes them with Apache Beam, and stores results in BigQuery for analytics. The pipeline must handle spikes in traffic and guarantee exactly-once processing. Which combination of services should they use?

A.Cloud Pub/Sub, Dataproc, and BigQuery.
B.Cloud IoT Core, Data Fusion, and Cloud Bigtable.
C.Cloud Storage, Cloud Functions, and BigQuery.
D.Cloud Pub/Sub, Dataflow, and BigQuery.
AnswerD

Cloud Pub/Sub handles event ingestion with scalability, Dataflow provides exactly-once processing for streaming, and BigQuery serves as the analytics data warehouse.

Why this answer

Option D is correct because Cloud Pub/Sub provides scalable, asynchronous ingestion for IoT event spikes, Dataflow (which runs Apache Beam) offers exactly-once processing semantics via checkpointing and idempotent sinks, and BigQuery serves as the analytics destination. This combination meets all requirements: Pub/Sub decouples producers from consumers, Dataflow handles stateful processing with exactly-once guarantees, and BigQuery supports real-time streaming inserts.

Exam trap

Google Cloud often tests the misconception that any combination of Google Cloud services can achieve exactly-once processing, but the trap here is that only Dataflow (with its Beam runner) provides native exactly-once semantics for streaming pipelines, while Dataproc, Data Fusion, and Cloud Functions lack this guarantee.

How to eliminate wrong answers

Option A is wrong because Dataproc is a managed Hadoop/Spark service, not a native Apache Beam runner; while Spark can be used with Beam, Dataproc lacks Dataflow's built-in exactly-once semantics and auto-scaling optimizations for streaming pipelines. Option B is wrong because Cloud IoT Core is a device management service, not a messaging queue for event ingestion, and Data Fusion is a batch-oriented ETL tool (based on CDAP) that does not support real-time streaming or exactly-once processing; Cloud Bigtable is a NoSQL database, not an analytics warehouse like BigQuery. Option C is wrong because Cloud Storage is a batch-oriented object store with no native streaming ingestion (requiring polling or triggers), Cloud Functions has a 9-minute timeout and no exactly-once guarantee for streaming, and the combination lacks a managed stream processing engine like Dataflow.

41
MCQhard

A company has a hub-and-spoke VPC topology with multiple on-premises locations connected via Cloud VPN to the hub VPC. They notice IP conflicts because overlapping CIDR ranges are used in different spokes. The network team wants to allow communication between spokes without re-IPing. What should they do?

A.Use Cloud NAT in each spoke and private routing via the hub with network tags to distinguish ranges.
B.Use Cloud VPN tunnels between spokes through the hub.
C.Configure static routes in the hub to summarize ranges with a smaller prefix.
D.Create VPC peering between each spoke VPC.
AnswerA

Cloud NAT can map overlapping private IPs to a unique internal IP range within the hub, and tags can help route traffic appropriately, though this approach has limitations; alternative is to re-IP. But among options, this allows some communication without re-IPing.

Why this answer

Option A is correct because Cloud NAT in each spoke allows spoke VPCs to communicate with the hub using private IPs while avoiding IP conflicts by using network tags to differentiate overlapping ranges. The hub VPC acts as a central routing point, and with Cloud NAT, traffic from spokes can be source-NATed to unique IPs in the hub, enabling communication between spokes without re-IPing. This approach leverages private routing through the hub and avoids the need for direct peering or VPN tunnels between spokes.

Exam trap

The trap here is that candidates assume VPN tunnels or VPC peering can handle overlapping IPs through routing alone, but they forget that IP routing requires unique destination addresses, and without NAT, overlapping ranges cause black-holing or asymmetric routing.

How to eliminate wrong answers

Option B is wrong because Cloud VPN tunnels between spokes through the hub would still require unique IP ranges for routing; overlapping CIDRs would cause routing conflicts in the hub's route tables, as VPN tunnels rely on destination IP-based routing that cannot distinguish overlapping ranges without NAT. Option C is wrong because configuring static routes in the hub to summarize ranges with a smaller prefix does not resolve IP conflicts; summarization assumes non-overlapping ranges, and overlapping CIDRs would still cause ambiguity in route selection. Option D is wrong because VPC peering between each spoke VPC would directly expose overlapping IP ranges, leading to routing failures and inability to establish peering connections due to conflicting subnets.

42
MCQeasy

A media company wants to serve publicly available images and videos to a global audience with low latency. Which Google Cloud service should they primarily use?

A.Cloud Storage with public bucket serving the files.
B.Cloud CDN with Cloud Storage as the origin.
C.Cloud Run with a container that serves the files.
D.Compute Engine with an HTTP server.
AnswerB

Cloud CDN caches content from Cloud Storage at edge locations, reducing latency for global users.

Why this answer

Cloud CDN with Cloud Storage as the origin is the correct choice because it uses Google's global edge cache to serve publicly available images and videos from Cloud Storage, minimizing latency for a global audience. Cloud CDN caches content at edge locations worldwide, reducing the round-trip time to the origin bucket, while Cloud Storage provides scalable, durable object storage. This combination is purpose-built for delivering static content with low latency and high throughput.

Exam trap

The trap here is that candidates often choose Cloud Storage with a public bucket (Option A) because it seems simplest, overlooking that Cloud CDN is required to achieve global low-latency delivery by caching content at edge locations.

How to eliminate wrong answers

Option A is wrong because a public Cloud Storage bucket serves files directly from the bucket's regional location, which does not provide global edge caching, resulting in higher latency for users far from the bucket's region. Option C is wrong because Cloud Run is a serverless compute platform designed for running containerized applications, not optimized for serving static files at scale; it lacks built-in edge caching and would incur unnecessary compute costs and cold-start latency. Option D is wrong because Compute Engine with an HTTP server requires manual scaling, maintenance, and lacks integrated global caching, making it inefficient and costly for serving static content to a global audience compared to a managed CDN solution.

43
Multi-Selecteasy

Which THREE practices are recommended for organizing projects in a Google Cloud organization?

Select 3 answers
A.Create a separate project to hold organization policies.
B.Use a separate project for each environment (e.g., development, staging, production).
C.Apply IAM policies at the folder level instead of the organization level when possible.
D.Use a shared VPC host project for multiple service projects to centralize network management.
E.Consolidate all production resources into a single project for simplicity.
AnswersB, C, D

Separate projects isolate environments and allow independent management and billing.

Why this answer

Option B is correct because using separate projects for each environment (development, staging, production) enforces resource isolation, prevents accidental cross-environment changes, and allows independent IAM policies, billing, and quotas. This aligns with Google Cloud's recommended resource hierarchy best practices for managing lifecycle and security boundaries.

Exam trap

The trap here is that candidates often confuse the purpose of organization policies with project-level resources, mistakenly thinking a separate project is needed to hold policies, when in fact policies are inherited through the resource hierarchy (organization → folder → project).

44
MCQmedium

Refer to the exhibit. A user creates a Cloud SQL for PostgreSQL instance and a Compute Engine VM. The VM cannot connect to the database. What is the most likely cause?

A.The Cloud SQL instance requires SSL connections, and the client is not using SSL.
B.The Cloud SQL instance does not have a private IP assigned, but the VM is attempting to connect using the private IP.
C.The VM's firewall is blocking egress to port 5432 on the Cloud SQL public IP.
D.The authorized networks setting is too permissive; it should be restricted to the VM's public IP.
AnswerB

Correct: The '--assign-ip' flag only assigns a public IP. To use private IP, the instance needs to be configured with a private network. The VM likely uses the private IP because it is in the same region, but the instance doesn't have one.

Why this answer

The Cloud SQL instance has authorized networks set to 0.0.0.0/0, which allows all IPs. However, the instance has a public IP, and the VM has an external IP. The connection fails with timeout, suggesting that the traffic is not reaching the database.

This could be due to the database not having SSL enforced, but that would cause a different error. The most likely cause is that the Cloud SQL instance is not configured to allow connections from the VM's public IP, because authorized networks only apply to connections using the public IP. But the exhibit shows it's set to 0.0.0.0/0, so that should work.

Another possibility: the VM is trying to connect to the private IP of the Cloud SQL instance, but the instance does not have a private IP. The exhibit shows '--assign-ip' which assigns a public IP, but does not assign a private IP. The VM might be trying to connect to the private IP, which doesn't exist.

However, the error is 'connection timed out', which suggests the client cannot reach the IP. If the client is using the public IP, the firewall on the VM allows egress. The issue could be that the Cloud SQL instance's public IP is not reachable from the VM's network due to VPC firewall rules? But the VM's firewall allows egress to 0.0.0.0/0.

The most likely cause is that the Cloud SQL instance does not have a private IP, and the VM is trying to connect via private IP. But the user might be using the correct public IP. Another common issue: the Cloud SQL instance requires SSL, but the client is not using SSL.

However, that would give a different error like 'SSL required'. The timeout suggests network connectivity. Given the exhibit, the Cloud SQL instance has only a public IP and authorized networks allow all IPs, so the issue is likely that the VM is trying to connect using the instance's private IP, which doesn't exist.

Alternatively, the VM might be in a different VPC and peering is not set up. But the question says 'different VPC'. Since the instance has a public IP, the VM can connect via public IP regardless of VPC.

The most plausible answer is that the Cloud SQL instance does not have a private IP, and the user is trying to connect to the private IP. However, the exhibit doesn't show the connection string. Another possibility: the user has not enabled public IP access from the VM's network? No, authorized networks allow all.

I think the intended answer is that the Cloud SQL instance does not have a private IP, so the VM, if using private IP, cannot connect. But the question says 'connection fails', so we need to infer. Let me craft options.

45
Multi-Selectmedium

Which TWO statements are true regarding the benefits of using VPC Network Peering over Cloud VPN for connecting two VPC networks?

Select 2 answers
A.VPC Network Peering provides lower latency because traffic stays within Google's network.
B.VPC Network Peering requires a separate VPN gateway appliance.
C.Cloud VPN incurs egress costs for data transfer, while VPC Network Peering typically does not.
D.VPC Network Peering can only be established within the same organization.
E.Cloud VPN encrypts traffic, which VPC Network Peering does not.
AnswersA, C

Peering uses Google's internal network, avoiding internet hops, thus lower latency.

Why this answer

Option A is correct because VPC Network Peering uses Google's internal infrastructure to route traffic directly between VPC networks, avoiding the public internet and reducing the number of network hops. This results in lower latency compared to Cloud VPN, which typically encrypts and tunnels traffic over the public internet, introducing additional overhead and potential variability in latency.

Exam trap

The trap here is that candidates may confuse the lack of encryption in VPC Network Peering as a disadvantage, but the question asks for benefits, so encryption (Option E) is not a benefit of peering; instead, the lower latency and reduced egress costs are the key advantages.

46
MCQeasy

Your company has migrated its legacy web application from a single Compute Engine instance to a managed instance group (MIG) behind an HTTP(S) load balancer. The application was updated to a new version as part of the migration. After the migration, users report intermittent 502 Bad Gateway errors. The application logs show no errors, and the load balancer backend health checks are reported as healthy. On investigation, the developers discover that the new version requires a specific environment variable for authentication to a downstream service. This variable was set manually on the original instance but is missing from the MIG's instance template. The health check endpoint does not depend on this variable and always returns a 200 status even when the variable is absent. As a result, instances created from the template are considered healthy by the load balancer, but when they receive requests that require authentication, they fail and return a 502 error to the client. What is the most likely cause of the 502 errors?

A.The missing environment variable causes authentication failures on new instances.
B.The health check is configured to check the old application path, which no longer exists.
C.The load balancer's backend timeout is too short for the application's response time.
D.The MIG is not scaling out fast enough to handle peak traffic.
AnswerA

The environment variable is essential for authentication; its absence causes requests to fail with 502 errors. Health checks pass because they do not exercise that code path.

Why this answer

The 502 errors occur because the new application version requires a specific environment variable for authentication to a downstream service. The health check endpoint does not depend on this variable, so instances are marked healthy even though they cannot authenticate real requests. When the load balancer routes traffic to these instances, the missing variable causes authentication failures, leading to 502 Bad Gateway errors.

Exam trap

The trap here is that candidates assume healthy health checks guarantee the application is fully functional, but Cisco tests the nuance that health checks may not cover all dependencies, leading to 'false healthy' instances that fail on real requests.

How to eliminate wrong answers

Option B is wrong because the health check is reported as healthy, indicating it is hitting a valid endpoint (the old path would cause health check failures, not intermittent 502s). Option C is wrong because backend timeout issues would typically cause 504 Gateway Timeout errors, not 502 Bad Gateway errors, and the application logs show no errors. Option D is wrong because scaling issues would cause 503 Service Unavailable errors or increased latency, not 502 errors, and the MIG is not reported as overloaded.

47
Matchingmedium

Match each GCP security service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manage encryption keys

Hardware security module for key protection

Store API keys, passwords, certificates

Manage access control

Centralized security and risk management

Why these pairings

These are security services in GCP.

48
Matchingmedium

Match each Google Cloud service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Distribute traffic across instances

Cache content at edge locations

Protect against DDoS and web attacks

Enable outbound internet for private instances

Dedicated connection between on-prem and GCP

Why these pairings

These are core networking services in GCP.

49
MCQhard

A company is designing a VPC architecture for a multi-tenant SaaS platform. Each tenant has isolated workloads that must not communicate with each other. They also need centralized network security and logging. Which VPC design meets these requirements?

A.Dedicated Cloud VPN connections per tenant
B.Use a Shared VPC with separate subnets for each tenant and firewall rules to enforce isolation
C.Single VPC with network tags and IAP tunnels
D.Peered VPCs for each tenant with Cloud NAT
AnswerB

Shared VPC allows centralized control and subnet isolation.

Why this answer

Option A is correct because Shared VPC with separate subnets per tenant and firewall rules for isolation provides centralized management. Option B is wrong because VPC peering requires explicit peering and does not provide isolation easily. Option C is wrong because Cloud VPN is not for multi-tenant isolation.

Option D is wrong because a single VPC without subnets is insecure.

50
MCQmedium

Refer to the exhibit. An engineer deploys this Terraform configuration. After deployment, they can SSH into the VM using its public IP. However, they want to restrict SSH access to only a specific IP range (203.0.113.0/24). What change is required?

A.Change the 'source_ranges' in the firewall rule to ['203.0.113.0/24']. The instance already has the required tag.
B.Modify the instance to use a network tag 'restricted-ssh' and update the firewall rule target_tags accordingly.
C.Add a new firewall rule with higher priority allowing SSH from 203.0.113.0/24, and keep the existing rule but change its priority to 100.
D.Update the 'source_ranges' in the firewall rule to ['203.0.113.0/24'] and remove the 'ssh-allowed' tag from the instance.
AnswerA

Correct: Updating the source ranges restricts incoming SSH to the specified IP range.

Why this answer

The firewall rule 'allow-ssh' currently allows SSH from all IPs (0.0.0.0/0) to instances with tag 'ssh-allowed'. To restrict to a specific IP range, the source_ranges must be updated to ['203.0.113.0/24']. The instance already has the tag 'ssh-allowed', so no change to tags is needed.

51
MCQmedium

A company is designing a microservices architecture on Google Kubernetes Engine (GKE) for a global user base. They require high availability across multiple zones, automatic scaling, and rolling updates without downtime. Which Kubernetes workload resource should they use for each service?

A.StatefulSet with volumeClaimTemplates for persistent storage
B.Deployment with pod anti-affinity rules spread across zones
C.Job for batch processing
D.DaemonSet to ensure one pod per node
AnswerB

Deployments provide rolling updates and replica management; combined with pod anti-affinity, they can ensure pods are distributed across zones for high availability.

Why this answer

Option C is correct because Deployments support rolling updates and pod anti-affinity can spread pods across zones for high availability. StatefulSets are for stateful workloads, DaemonSets for node-level daemons, and Jobs for batch tasks.

52
MCQeasy

A multinational e-commerce company needs a globally distributed database that provides strong consistency and transactional support for order processing. Which Google Cloud database service should they use?

A.Cloud SQL
B.Cloud Spanner
C.Cloud Bigtable
D.Cloud Firestore
AnswerB

Cloud Spanner provides global distribution, strong consistency, and full transactional support, making it ideal for order processing.

Why this answer

Cloud Spanner is the correct choice because it is a globally distributed, horizontally scalable relational database service that provides strong consistency and full ACID transactional support across regions. Unlike other Google Cloud databases, Spanner uses synchronous replication and the TrueTime API to guarantee external consistency, making it ideal for order processing systems that require both global scale and transactional integrity.

Exam trap

The trap here is that candidates often confuse Cloud Spanner with Cloud SQL, assuming that a traditional relational database like Cloud SQL can be scaled globally by adding replicas, but they miss that Cloud SQL replicas are read-only and cannot provide the strong consistency and write scalability needed for a globally distributed transactional system.

How to eliminate wrong answers

Option A is wrong because Cloud SQL is a regional, single-writer database that cannot scale horizontally across multiple regions, and it does not provide the global strong consistency needed for a globally distributed order processing system. Option C is wrong because Cloud Bigtable is a NoSQL wide-column database designed for high-throughput analytical workloads, not for transactional order processing that requires strong consistency and ACID transactions. Option D is wrong because Cloud Firestore is a NoSQL document database that offers eventual consistency by default (unless using transactions in a single region) and is not designed for the complex, strongly consistent transactional workloads of a global e-commerce order processing system.

53
Multi-Selectmedium

Which TWO actions reduce egress costs when transferring data from Compute Engine to the internet? (Choose 2)

Select 2 answers
A.Use Cloud NAT for outbound traffic
B.Use Cloud CDN to cache content
C.Move instances to a lower-cost region
D.Use Premium Tier networking
E.Compress data before sending it
AnswersB, E

Reduces origin egress by serving from edge caches.

Why this answer

Options A and D are correct. Using a Cloud CDN caches content at edge locations, reducing egress from origin. Using a Premium Tier network does not reduce egress costs; it may increase.

Compressing data reduces egress volume, but it's not always applicable and may affect latency. Moving to a different region does not reduce egress cost. There are only two correct: A and D.

Actually, compressing data reduces the amount of data transferred, so that reduces egress cost. Let's reconsider. The correct answers: Using Cloud CDN (caches content, reduces origin egress) and using data compression (reduces size).

Option A is correct, option D is correct. Option B (move to lower-cost region) does not reduce egress cost because egress is per GB, same worldwide. Option C (use Premium Tier) increases cost.

Option E (use a NAT gateway) does not reduce egress.

54
MCQeasy

A company runs a web application on Compute Engine instances behind a global HTTP(S) Load Balancer. The application uses Cloud SQL for MySQL for user data. Users report that during peak hours, the page load times increase significantly. The development team notices that the number of database connections exceeds the maximum allowed, causing some requests to fail. The application is designed to use connection pooling with a maximum pool size of 100 connections per instance. There are currently 10 instances. The Cloud SQL instance is configured with 4 vCPUs and 15 GB memory, and the maximum connections is set to 400. The application team wants to minimize cost while resolving the issue. What should the architect recommend?

A.Reduce the max pool size per instance to 40 connections.
B.Increase the Cloud SQL instance tier to have more vCPUs and memory.
C.Implement connection pooling at the global HTTP(S) Load Balancer level.
D.Use Cloud SQL Proxy with connection pooling.
AnswerA

This reduces total connections to 400, matching the Cloud SQL max and resolving the issue at no extra cost.

Why this answer

Option B is correct. With 10 instances each using a pool of 100 connections, the potential connections is 1000, far exceeding the Cloud SQL max of 400. Reducing the pool size to 40 per instance brings the total to 400, fitting within the limit without additional cost.

Option A increases cost unnecessarily as the current tier can handle the load when connections are properly sized. Option C is not feasible because load balancers do not manage database connection pooling. Option D does not reduce the total connection count and adds complexity without solving the core issue.

55
MCQmedium

Refer to the exhibit. A user alice@example.com is unable to list objects in bucket 'bucket-b'. What is the most likely reason?

A.The condition restricts access only to bucket-a.
B.The IAM policy is missing the roles/storage.objectAdmin role.
C.The condition expression is invalid.
D.The user needs the roles/storage.legacyBucketReader role.
AnswerA

The condition expression limits the role to buckets with names starting with 'bucket-a'.

Why this answer

Option B is correct. The IAM condition restricts the storage.objectViewer role to only objects whose name starts with 'bucket-a'. Since alice is trying to list objects in bucket-b, the condition prevents access.

Option A is incorrect because the objectViewer role is sufficient to list objects. Option C is incorrect because legacyBucketReader is not required for listing. Option D is incorrect because the condition expression is valid.

Ready to test yourself?

Try a timed practice session using only Design and plan a cloud solution architecture questions.