CCNA Manage implementation of cloud architecture Questions

13 of 88 questions · Page 2/2 · Manage implementation of cloud architecture · Answers revealed

76
Multi-Selectmedium

An organization wants to monitor network traffic between VMs in a VPC for troubleshooting. Which TWO services can provide this?

Select 2 answers
A.Cloud Audit Logs
B.Packet Mirroring (Network Intelligence Center)
C.VPC Flow Logs
D.Cloud Monitoring
E.Cloud Logging
AnswersB, C

Provides deep packet inspection.

Why this answer

Packet Mirroring (Network Intelligence Center) is correct because it clones the actual packet contents (headers and payload) from VM instances and forwards them to a collector for deep packet inspection, enabling detailed troubleshooting of network traffic between VMs in a VPC. This service captures full packet data, including application-layer information, which is essential for diagnosing issues like packet loss, latency, or protocol errors.

Exam trap

Google Cloud often tests the distinction between services that capture raw packet data (Packet Mirroring) versus those that only log metadata or metrics (VPC Flow Logs, Cloud Monitoring), leading candidates to mistakenly choose VPC Flow Logs as the sole correct answer when full packet capture is required for deep troubleshooting.

77
MCQeasy

A developer needs to deploy a stateful application that requires persistent storage across pod restarts in Google Kubernetes Engine. Which resource should they use?

A.ConfigMap
B.EmptyDir
C.Secret
D.PersistentVolumeClaim
AnswerD

Provides persistent storage that remains across pod restarts.

Why this answer

A PersistentVolumeClaim (PVC) is the correct resource because it allows a pod to request persistent storage that survives pod restarts. In GKE, a PVC binds to a PersistentVolume (PV), which can be backed by Compute Engine persistent disks, ensuring data remains available even if the pod is rescheduled or restarted.

Exam trap

The trap here is that candidates confuse ephemeral volumes (EmptyDir) with persistent storage, or assume ConfigMaps/Secrets can store application data, when in fact they are for configuration and secrets only.

How to eliminate wrong answers

Option A is wrong because a ConfigMap is used to inject configuration data (e.g., environment variables, files) into pods, not for persistent storage. Option B is wrong because an EmptyDir volume is ephemeral—it is created when a pod starts and is deleted when the pod is removed, so data does not persist across pod restarts. Option C is wrong because a Secret is designed to store sensitive data (e.g., passwords, tokens) and is not a storage volume for application data.

78
MCQhard

An organization has deployed a multi-region Cloud Spanner instance for a global application. The application is experiencing high latency for read requests from a specific region. The team has verified that the application is using stale reads and the data distribution is even. What is the most likely cause of the high latency?

A.The number of read replicas in the region is insufficient to handle the read volume.
B.The Spanner instance has too few nodes, causing contention.
C.The application is using read-write transactions instead of read-only transactions.
D.The Spanner instance does not have a read replica in a location close to the clients.
AnswerD

Adding a read replica in the region reduces network round-trip time, lowering read latency.

Why this answer

Option D is correct because Cloud Spanner uses a single global configuration with regional read replicas. If the instance does not have a read replica in the region where the clients are located, read requests must traverse the network to a replica in another region, causing higher latency. Even with stale reads, the physical distance to the nearest replica directly impacts read latency.

Exam trap

Google Cloud often tests the misconception that adding more nodes or read replicas solves regional latency, when the real issue is the absence of a local replica in the specific region.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner does not have a concept of 'read replicas' in the same way as traditional databases; it uses a single set of nodes per instance, and read capacity scales with the number of nodes, not with separate read replicas. Option B is wrong because the team has verified that data distribution is even, and the question states the issue is specific to a region, not global contention; too few nodes would cause high latency across all regions, not just one. Option C is wrong because the team has already verified that the application is using stale reads, which are read-only transactions by definition; read-write transactions would not be used in this scenario.

79
Multi-Selectmedium

A cloud architect is implementing a CI/CD pipeline for a microservices-based application on Google Kubernetes Engine (GKE). The team needs to deploy new versions of the services with zero downtime and the ability to quickly roll back if issues are detected. Which two strategies should the architect consider? (Choose two.)

Select 2 answers
A.Shadow deployment
B.Rolling update
C.Blue/green deployment
D.Canary deployment
E.A/B testing deployment
AnswersC, D

Correct: blue/green allows instant rollback by switching traffic back to the old version.

Why this answer

Blue/green deployment (A) and canary deployment (C) are two strategies that provide zero downtime and quick rollback. Blue/green deploys new version to a separate environment and switches traffic; canary gradually shifts traffic and allows easy rollback. Rolling update (B) also provides zero downtime but rollback requires a new update, not immediate.

Shadow deployment (D) mirrors traffic for analysis but doesn't serve users. A/B testing (E) is a method for comparing features but not a deployment strategy.

80
MCQmedium

You are designing a CI/CD pipeline for a containerized application on Google Cloud. The application is built with Cloud Build, stored in Container Registry, and deployed to GKE. The team wants to ensure that only images that pass vulnerability scanning are deployed. What should you do?

A.Add a step in Cloud Build that runs a vulnerability scanner on the image and fails the build if vulnerabilities exceed a threshold.
B.Configure Container Analysis to automatically scan images in Container Registry and block deployment via a webhook.
C.Enable Binary Authorization on the GKE cluster and configure a policy to require an attestation from a trusted authority.
D.Use Security Command Center to detect vulnerabilities and alert the team to manually block deployments.
AnswerA

This integrates scanning into the pipeline, preventing vulnerable images from being pushed.

Why this answer

Option A is correct because Cloud Build can include a custom step that runs a vulnerability scanner (e.g., using the Google Cloud `gcloud container images list-tags` with the `--show-occurrences-from` flag or a third-party tool like Trivy) and then evaluates the results against a threshold. If the scan finds vulnerabilities exceeding the defined threshold, the build step exits with a non-zero status, causing the Cloud Build pipeline to fail and preventing the image from being pushed to Container Registry or deployed. This directly enforces the requirement that only images passing vulnerability scanning proceed in the CI/CD pipeline.

Exam trap

The trap here is that candidates often confuse Binary Authorization (which requires attestations but does not perform scanning) with vulnerability scanning, or they assume Container Analysis can directly block deployments via a webhook, when in fact it only generates metadata that must be consumed by another policy engine.

How to eliminate wrong answers

Option B is wrong because Container Analysis automatically scans images in Container Registry, but it does not have a built-in webhook mechanism to block deployment; it only generates vulnerability occurrences that must be consumed by another service (e.g., Binary Authorization) to enforce policy. Option C is wrong because Binary Authorization enforces deployment policies based on attestations from trusted authorities, but it does not itself perform vulnerability scanning; it relies on an external attestor to verify the image, and the question requires that only images passing vulnerability scanning are deployed, not that an attestation is required. Option D is wrong because Security Command Center is a security and risk management platform that provides visibility and alerts, but it does not automatically block deployments; it requires manual intervention or integration with other tools to stop a deployment.

81
Multi-Selecthard

A company is designing a highly available architecture for a stateful application on Compute Engine. They need to protect against zonal failures. Which THREE steps should they take?

Select 3 answers
A.Store session state in memory
B.Use a global load balancer with health checks
C.Use a single zone instance group
D.Use persistent disks with regional persistent disks
E.Use a managed instance group across multiple zones
AnswersB, D, E

Distributes traffic and fails over.

Why this answer

To protect against zonal failures: use a managed instance group across multiple zones (A) to distribute instances; use regional persistent disks (B) that replicate data across zones; and use a global load balancer with health checks (C) to direct traffic to healthy instances. Storing session state in memory (D) is not durable. Using a single zone instance group (E) does not provide HA.

82
MCQeasy

A developer runs the command above and sees the output. The cluster has one node pool with 3 nodes, each of type e2-standard-4 (4 vCPU, 16 GB RAM). The application requires at least 2 GB of memory per pod and the cluster has 10 pods that need to be scheduled. The developer also notices that the node pool autoscaling is enabled with a minimum of 1 and maximum of 5 nodes. However, the cluster is unable to schedule all pods. What is the most likely cause?

A.The cluster is running an older version of Kubernetes that does not support node auto-scaling.
B.The node pool autoscaler is not properly configured to scale up based on pod resource requests.
C.The node auto-repair feature is disabled, causing a node to be unhealthy.
D.The pod resource requests exceed the allocatable resources on the existing nodes after accounting for system reservations.
AnswerD

System reservations (kube-reserved, eviction threshold) reduce allocatable CPU and memory, and the pod requests may exceed what is available.

Why this answer

Option D is correct because the cluster has 3 e2-standard-4 nodes, each with 4 vCPU and 16 GB RAM. After accounting for system reservations (e.g., kubelet, OS, daemonsets), the allocatable memory per node is typically around 13-14 GB. With 10 pods each requesting 2 GB, the total memory request is 20 GB, but the total allocatable memory across 3 nodes is only about 39-42 GB.

However, the autoscaler can only scale up to 5 nodes, and even then, the total allocatable memory would be around 65-70 GB, which is sufficient. The most likely cause is that the pod resource requests exceed the allocatable resources on the existing nodes, preventing scheduling, and the autoscaler may not have triggered yet or is constrained by other factors like CPU or node limits.

Exam trap

Google Cloud often tests the distinction between pod resource requests and limits, and the fact that the Cluster Autoscaler scales based on requests, not limits, leading candidates to overlook system reservations or assume autoscaling is misconfigured.

How to eliminate wrong answers

Option A is wrong because older Kubernetes versions (e.g., 1.15+) do support node autoscaling via the Cluster Autoscaler; the version is unlikely to be the issue. Option B is wrong because the node pool autoscaler is configured to scale based on unschedulable pods, and it does consider pod resource requests; the issue is that the autoscaler may not have scaled up sufficiently or the requests exceed the current node capacity. Option C is wrong because node auto-repair is unrelated to scheduling; it handles node health issues, not resource insufficiency.

83
MCQeasy

A developer is trying to deploy a Compute Engine instance from a Cloud Build step. The build fails with the above error. What is the problem?

A.The project has exceeded its service account quota.
B.The Cloud Build service account lacks 'compute.instances.create' permission.
C.Cloud Build does not have the 'iam.serviceAccounts.actAs' permission on the default compute service account.
D.The developer's personal account does not have permission to use Cloud Build.
AnswerC

When Cloud Build creates a VM, it must act as the VM's service account.

Why this answer

The error occurs because Cloud Build needs to impersonate the Compute Engine default service account to create a VM instance. The Cloud Build service account requires the 'iam.serviceAccounts.actAs' permission on the target service account to delegate its identity. Without this permission, the build step fails even if the Cloud Build service account has 'compute.instances.create' permission.

Exam trap

Google Cloud often tests the subtle distinction between having resource-level permissions (like 'compute.instances.create') and the 'actAs' permission required to impersonate a service account, leading candidates to incorrectly choose the missing resource permission.

How to eliminate wrong answers

Option A is wrong because service account quotas are separate from IAM permissions; exceeding a quota would produce a different error (e.g., 'quota exceeded'), not a permission denied error. Option B is wrong because the error message specifically indicates an 'actAs' permission issue, not a missing 'compute.instances.create' permission; if that were the problem, the error would reference 'compute.instances.create' directly. Option D is wrong because Cloud Build uses its own service account for execution, not the developer's personal account; the error is about the Cloud Build service account's permissions, not the developer's.

84
MCQhard

A multinational corporation has deployed a web application across multiple Google Cloud regions using an external HTTPS load balancer with backend services in each region. They recently added a new region (asia-southeast1) and updated the load balancer configuration. After the update, some users in that region report high latency and occasional connection timeouts when accessing the application. The load balancer health checks show all backends as healthy. The network team confirms that the backend instances in asia-southeast1 are correctly configured and can be accessed directly via their external IPs. What should the architects investigate next?

A.Check the Cloud CDN cache settings for the new region
B.Verify that the backend service in asia-southeast1 has the correct timeout settings for the load balancer
C.Ensure that the firewall rules allow traffic from the load balancer's health check ranges to the instances
D.Review the Cloud Armor security policy rules that might be blocking traffic from that region
AnswerD

Cloud Armor geo-filtering may block traffic from that region while allowing health checks from Google IPs.

Why this answer

Option D is correct because Cloud Armor security policies can block traffic based on geographic location. If the new region (asia-southeast1) was added but the Cloud Armor policy was not updated to allow traffic from that region, requests from users in asia-southeast1 could be denied or rate-limited, causing high latency and timeouts even though health checks (which originate from Google's health check ranges, not user IPs) show backends as healthy. The direct access via external IPs works because it bypasses the load balancer and its associated Cloud Armor policy.

Exam trap

Google Cloud often tests the misconception that health check success implies full end-to-end connectivity, but health checks bypass Cloud Armor and firewall rules that apply to user traffic, so healthy backends do not guarantee user traffic is allowed.

How to eliminate wrong answers

Option A is wrong because Cloud CDN cache settings affect content delivery speed and cache hit ratio, not connection timeouts or high latency caused by traffic blocking; CDN would not cause timeouts if the origin is reachable. Option B is wrong because timeout settings on the backend service control how long the load balancer waits for a response from the backend, but since health checks pass and direct access works, timeouts are not the issue; incorrect timeouts would affect all users, not just those in the new region. Option C is wrong because firewall rules for health check ranges are already correctly configured (health checks show all backends as healthy), and the issue is with user traffic, not health check probes; the network team confirmed backend instances are reachable via external IPs, indicating no firewall blockage.

85
MCQeasy

A company stores sensitive data in Cloud Storage and wants to enforce encryption at rest using customer-managed keys. Which Google Cloud service should they use to manage the keys?

A.Cloud HSM
B.Secret Manager
C.Cloud KMS
D.IAM
AnswerC

Manages customer-managed encryption keys for Cloud Storage.

Why this answer

Cloud KMS (Key Management Service) is the correct choice because it is the native Google Cloud service for managing cryptographic keys, including customer-managed encryption keys (CMEK). It allows you to create, rotate, and control access to keys used to encrypt data at rest in Cloud Storage, and it integrates directly with Cloud Storage's CMEK feature. Cloud HSM is a hardware-backed key management option but is built on top of Cloud KMS, not a separate service for key management.

Exam trap

The trap here is that candidates confuse Cloud HSM as a separate key management service, but Cloud HSM is actually a hardware-backed key storage option that requires Cloud KMS for key management, not a replacement for it.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a hardware security module service that provides FIPS 140-2 Level 3 validated key storage, but it is an add-on to Cloud KMS, not a standalone key management service; you still use Cloud KMS to manage the keys stored in HSM. Option B is wrong because Secret Manager is designed to store and manage secrets such as API keys, passwords, and certificates, not for managing encryption keys used for data at rest in Cloud Storage. Option D is wrong because IAM (Identity and Access Management) is a service for managing access control and permissions, not for creating, storing, or managing encryption keys.

86
MCQhard

An organization has a multi-regional deployment of a stateful application on GKE using regional persistent disks. They need to implement disaster recovery with an RPO of less than 1 hour and RTO of 30 minutes. What is the most cost-effective approach?

A.Use zonal persistent disks and take snapshots every 45 minutes, then restore in secondary region.
B.Use regional persistent disks with asynchronous replication to a secondary region and deploy GKE clusters in both regions with a load balancer directing traffic.
C.Use a third-party replication tool to asynchronously replicate data to the secondary region.
D.Use Cloud Storage FUSE to write state to a multi-regional bucket and read from secondary cluster.
AnswerB

Regional pd already replicates within zone; adding asynchronous cross-region replication meets RPO/RTO.

Why this answer

Option B is correct because regional persistent disks with asynchronous replication provide built-in, managed replication to a secondary region, meeting the RPO of less than 1 hour and RTO of 30 minutes without additional infrastructure costs. By deploying GKE clusters in both regions and using a load balancer, traffic can be redirected to the secondary cluster within the RTO, making this the most cost-effective approach as it avoids third-party tools or complex manual processes.

Exam trap

The trap here is that candidates often confuse the cost-effectiveness of snapshots (Option A) with the need for low RPO/RTO, overlooking that snapshot-based recovery cannot meet sub-hour RTOs due to restore times, while regional persistent disk replication provides near-continuous replication at a lower total cost than third-party tools.

How to eliminate wrong answers

Option A is wrong because zonal persistent disks with snapshots every 45 minutes cannot guarantee an RPO of less than 1 hour due to snapshot consistency delays and the time required to restore volumes in a secondary region, which would exceed the 30-minute RTO. Option C is wrong because using a third-party replication tool introduces additional licensing, operational overhead, and potential compatibility issues, making it less cost-effective than Google's native asynchronous replication. Option D is wrong because Cloud Storage FUSE introduces significant latency and consistency challenges for stateful applications, and multi-regional buckets do not provide the low-latency, consistent storage required for a stateful application's RPO and RTO targets.

87
MCQhard

An organization is running a stateful workload on Compute Engine with a single persistent disk. They want to migrate to a regional persistent disk for higher availability. The disk is 500 GB and currently 80% full. They need zero downtime during the migration. What is the recommended approach?

A.Attach a new regional disk to the instance and use RAID 1 mirroring.
B.Create a snapshot of the disk, then create a new regional persistent disk from that snapshot, and attach it to the instance.
C.Use rsync to copy data to a new regional disk while the instance is running.
D.Use gcloud compute disks resize to change the disk type to regional.
AnswerB

This is the recommended migration path; snapshot creation is the only downtime window.

Why this answer

Option B is correct because creating a snapshot of the existing persistent disk and then creating a new regional persistent disk from that snapshot allows you to attach the new disk to the instance with zero downtime. The snapshot captures the disk state at a point in time, and the regional disk is created asynchronously; once available, you can detach the original disk and attach the regional disk without stopping the instance, as Compute Engine supports live disk attachment/detachment.

Exam trap

Google Cloud often tests the misconception that you can change a disk's type in-place using a resize or update command, but the only supported way to switch from zonal to regional is to create a new disk from a snapshot or image.

How to eliminate wrong answers

Option A is wrong because RAID 1 mirroring requires two disks of the same type and is not a supported feature for attaching a regional disk to a running instance; it would also require downtime to configure the RAID array. Option C is wrong because rsync does not provide a consistent point-in-time copy of a disk that is actively being written to, risking data inconsistency and requiring application-level quiescence to avoid corruption. Option D is wrong because gcloud compute disks resize does not support changing a disk's type from zonal to regional; you must create a new regional disk from a snapshot or image, not modify the existing disk.

88
MCQhard

Your company runs a critical application on Google Kubernetes Engine (GKE) in us-central1. The application consists of a frontend deployment with 3 replicas and a backend statefulset with 5 replicas using persistent volumes (SSD). Recently, the team noticed that during a regional outage in us-central1, the application became completely unavailable. They want to design a multi-region architecture that can survive a regional failure with RPO of 1 hour and RTO of 30 minutes. The application is stateless on the frontend but the backend stores critical data on persistent disks. The backend can operate in a read-only mode from a secondary region if needed. They have a limited budget and want to minimize ongoing costs. Which approach should they take?

A.Migrate the backend to Cloud SQL for MySQL with cross-region replication, and keep the frontend on GKE with multi-region ingress.
B.Deploy the frontend and backend in a regional GKE cluster and use regional persistent disks for the statefulset, replicating data synchronously across zones.
C.Deploy the frontend and backend in a single zonal cluster in us-central1-a, and use scheduled snapshots of persistent disks to a different region.
D.Deploy the frontend and backend in a regional GKE cluster across us-central1, and use a CronJob to take snapshots of persistent volumes every hour and copy them to a secondary region. In disaster, restore the snapshots to a new cluster in the secondary region.
AnswerD

Regional cluster survives zonal failure; snapshots provide cross-region backup with RPO 1 hour and RTO within 30 minutes if restore is automated.

Why this answer

Option D meets the RPO of 1 hour by using a CronJob to take hourly snapshots of PersistentVolume data and copy them to a secondary region. In a disaster, you restore those snapshots to a new GKE cluster in the secondary region, achieving an RTO of 30 minutes by automating the restore process. This approach minimizes ongoing costs because snapshots are incremental and you only pay for storage in the secondary region when needed, while the frontend remains stateless and can be redeployed quickly.

Exam trap

Google Cloud often tests the distinction between zonal, regional, and multi-region resilience; the trap here is that candidates may choose regional persistent disks (Option B) thinking they provide multi-region protection, when in fact they only replicate across zones within a single region.

How to eliminate wrong answers

Option A is wrong because migrating to Cloud SQL for MySQL with cross-region replication introduces significant ongoing costs for a managed database service and may not align with the existing statefulset architecture; it also requires application changes to use Cloud SQL instead of persistent disks. Option B is wrong because regional persistent disks replicate synchronously across zones within a single region, which does not protect against a full regional outage in us-central1. Option C is wrong because a single zonal cluster in us-central1-a cannot survive a regional failure, and scheduled snapshots to a different region without a restore plan in a secondary cluster do not meet the RTO of 30 minutes.

← PreviousPage 2 of 2 · 88 questions total

Ready to test yourself?

Try a timed practice session using only Manage implementation of cloud architecture questions.