CCNA Manage Provision Infra Questions

75 of 116 questions · Page 1/2 · Manage Provision Infra topic · Answers revealed

1
MCQeasy

Refer to the exhibit. A user (ops@example.com) is unable to create a new VPC network in the project. What should the administrator verify first?

A.The user has been granted roles/compute.admin.
B.The user has the project owner role.
C.The user has the roles/storage.admin role.
D.The user has appropriate IAM roles such as roles/compute.networkAdmin.
AnswerD

The current role is read-only; a more permissive role is needed.

Why this answer

To create a VPC network in Google Cloud, the user needs the compute.networks.create permission. The roles/compute.networkAdmin IAM role includes this permission, along with others needed to manage VPC networks. Option D correctly identifies that the user must have appropriate IAM roles, specifically roles/compute.networkAdmin or a custom role with the necessary compute.networks.create permission.

Exam trap

Google Cloud often tests the principle of least privilege and the specific IAM roles required for VPC operations, trapping candidates who assume that a broad role like compute.admin or owner is the first thing to verify, rather than the more specific networkAdmin role.

How to eliminate wrong answers

Option A is wrong because roles/compute.admin is a highly privileged role that includes all compute permissions, but it is not the minimum required role; the question asks what the administrator should verify first, and checking for a more specific role like roles/compute.networkAdmin is more appropriate. Option B is wrong because the project owner role (roles/owner) includes all permissions, but it is overly broad and not the first thing to verify; the administrator should check for the specific network admin role first. Option C is wrong because roles/storage.admin grants permissions for Cloud Storage, not for VPC network creation, which requires compute.networks.* permissions.

2
MCQeasy

Your company runs a critical application on Compute Engine instances in us-central1. The application requires low latency between instances that are all in the same region. You notice that network latency between instances varies and sometimes spikes. You want to ensure consistent low-latency communication. You currently use external IP addresses for communication between instances. What should you do?

A.Move instances to the same zone to reduce network hops.
B.Upgrade to larger machine types to improve network bandwidth.
C.Use internal IP addresses instead of external IPs for inter-instance communication.
D.Set up a Cloud VPN connection between instances.
AnswerC

Internal IPs use Google's internal network, which is optimized for low latency and higher throughput within the same region, avoiding the variability of external IP routing.

Why this answer

Using internal IP addresses (RFC 1918) for inter-instance communication avoids the overhead of NAT, external routing, and potential egress bottlenecks. Traffic stays within Google's internal network fabric, reducing latency variability and eliminating spikes caused by external internet path fluctuations.

Exam trap

The trap here is that candidates assume moving to the same zone or upgrading machine types will fix latency, but the root cause is the external IP routing path, not proximity or bandwidth.

How to eliminate wrong answers

Option A is wrong because moving instances to the same zone reduces physical distance but does not address the fundamental issue of using external IPs, which still forces traffic through external gateways and can introduce latency spikes. Option B is wrong because larger machine types increase network bandwidth (throughput) but do not reduce latency or eliminate the variability caused by external IP routing. Option D is wrong because Cloud VPN is designed for secure connectivity between on-premises and VPC, not for inter-instance communication within the same region; it adds encryption overhead and does not solve the external IP latency problem.

3
MCQmedium

A company has a production GKE cluster with a node pool using n1-standard-4 machine types. They need to change to e2-standard-4 without downtime. Which approach should be taken?

A.Enable GKE Node Auto-Repair to automatically fix the issue.
B.Delete the existing node pool and create a new one with the new machine type.
C.Update the existing node pool's machine type via gcloud container node-pools update.
D.Create a new node pool with the new machine type, cordon and drain old nodes, then delete the old pool.
E.Use gcloud compute machine-types change on the nodes.
AnswerD

Correct. This approach migrates workloads gracefully.

Why this answer

Option D is correct because it ensures zero downtime by first creating a new node pool with the desired e2-standard-4 machine type, then cordoning and draining the old nodes to gracefully migrate workloads, and finally deleting the old pool. This approach leverages Kubernetes' native pod eviction and rescheduling mechanisms to maintain application availability throughout the migration.

Exam trap

Google Cloud often tests the misconception that you can update an existing node pool's machine type via a simple command, but in GKE, machine type is immutable after creation, requiring a new pool and graceful migration.

How to eliminate wrong answers

Option A is wrong because Node Auto-Repair only fixes unhealthy nodes (e.g., those with kernel issues) and cannot change machine types. Option B is wrong because deleting the existing node pool before creating a new one would cause downtime, as workloads have no target nodes to migrate to. Option C is wrong because the gcloud container node-pools update command does not support changing the machine type of an existing node pool; machine type is an immutable property set at creation.

Option E is wrong because gcloud compute machine-types change is a Compute Engine command for standalone VMs, not applicable to GKE node pools managed by the cluster.

4
Multi-Selecteasy

Which TWO statements are true about Cloud Load Balancing?

Select 2 answers
A.All load balancers require a regional forwarding rule.
B.Regional load balancing supports TCP/UDP traffic.
C.Global load balancing supports only HTTP/S traffic.
D.Internal load balancing is only for traffic within the same VPC.
E.Load balancers can be associated with instance groups in multiple regions.
AnswersB, E

Regional external load balancers (e.g., Network Load Balancer) support TCP and UDP.

Why this answer

Regional load balancing supports TCP and UDP traffic because it operates at Layer 4, using the regional forwarding rule to direct packets based on IP protocol, port, and optional session affinity. This allows it to handle non-HTTP workloads such as DNS, VoIP, or gaming traffic that require UDP or raw TCP connections.

Exam trap

Google Cloud often tests the misconception that global load balancers only handle HTTP/S traffic, but in Google Cloud, global load balancers also support TCP and UDP via the global external proxy network load balancer, making option C a common trap.

5
Multi-Selecthard

Which THREE are best practices for managing secrets (e.g., API keys, passwords) in Google Cloud? (Select exactly 3.)

Select 3 answers
A.Rotate secrets regularly and automatically where possible.
B.Encrypt secrets and store them in source code repositories.
C.Use Secret Manager to store and version secrets.
D.Grant access to secrets using IAM roles at the project or secret level.
E.Pass secrets as environment variables to Compute Engine instances.
AnswersA, C, D

Regular rotation reduces the risk of compromised secrets.

Why this answer

Option A is correct because regular, automated rotation of secrets limits the window of exposure if a secret is compromised. Secret Manager supports automatic rotation policies with a rotation period and next rotation time, and can trigger a Cloud Function or Cloud Run service to generate a new secret version, ensuring secrets are rotated without manual intervention.

Exam trap

Google Cloud often tests the misconception that encrypting secrets before storing them in code repositories is acceptable, when in fact any storage in source control violates the principle of separation of secrets from code, and that environment variables are a secure method for passing secrets to Compute Engine instances, whereas they are easily exposed through metadata endpoints or process inspection.

6
MCQeasy

Your organization uses Cloud SQL for MySQL to host a production database. The database size is 500 GB. You need to create a read replica for reporting purposes. The read replica should be in a different region for disaster recovery. You have created the read replica in the us-west1 region. However, the replication lag is higher than expected, sometimes exceeding 5 minutes. What should you do to reduce replication lag?

A.Configure an external read replica using MySQL binary log replication.
B.Increase the disk size of the read replica.
C.Upgrade the primary instance to a higher machine type with more CPU and memory.
D.Decrease the backup window on the primary instance.
AnswerC

A higher machine type on the primary increases its ability to commit transactions and write to the binary log, which reduces replication lag. Also consider placing the replica in the same region if possible.

Why this answer

Option C is correct because replication lag in Cloud SQL for MySQL is often caused by the primary instance being unable to keep up with the write workload, especially when the replica is in a different region. Upgrading the primary to a higher machine type with more CPU and memory increases its capacity to process transactions and generate binary logs, reducing the backlog that causes lag. This directly addresses the root cause of high replication lag, unlike other options that target unrelated aspects.

Exam trap

Google Cloud often tests the misconception that replication lag is always a replica-side issue, leading candidates to focus on replica resources (disk size) or external configurations, when the real bottleneck is the primary's capacity to generate and send binary logs under heavy write load.

How to eliminate wrong answers

Option A is wrong because configuring an external read replica using MySQL binary log replication does not reduce lag; it introduces additional network latency and management overhead, and the lag issue is already present with a Cloud SQL replica. Option B is wrong because increasing the disk size of the read replica only provides more storage space, which does not affect replication lag; lag is caused by the primary's write throughput or network latency, not the replica's disk capacity. Option D is wrong because decreasing the backup window on the primary instance does not impact replication lag; backups are independent of the replication stream and do not affect binary log generation or transmission.

7
MCQmedium

A company is experiencing high latency in their VPC. They enabled VPC Flow Logs to capture metadata but need to analyze the logs for traffic patterns. Which Google Cloud service should they use to query and analyze VPC Flow Logs?

A.BigQuery
B.Cloud Storage
C.Cloud Logging
D.Cloud Monitoring
AnswerA

Exporting VPC Flow Logs to BigQuery allows powerful SQL analysis.

Why this answer

BigQuery is the correct service because VPC Flow Logs can be exported directly to BigQuery for querying and analyzing traffic patterns using SQL. BigQuery provides a serverless, highly scalable data warehouse that can handle large volumes of flow log metadata, enabling complex queries on source/destination IPs, ports, protocols, and packet counts. This allows the company to identify latency sources by analyzing traffic patterns over time.

Exam trap

The trap here is that candidates often confuse Cloud Logging (which can store and filter logs) with BigQuery (which is needed for complex SQL-based analysis), assuming that log storage alone is sufficient for deep traffic pattern queries.

How to eliminate wrong answers

Option B (Cloud Storage) is wrong because Cloud Storage is an object storage service for storing unstructured data, not a query engine; you would need additional tools like BigQuery or Dataproc to analyze the logs. Option C (Cloud Logging) is wrong because Cloud Logging is designed for real-time log ingestion, monitoring, and basic filtering, but it lacks the advanced SQL querying capabilities and scalability needed for deep traffic pattern analysis across large datasets. Option D (Cloud Monitoring) is wrong because Cloud Monitoring focuses on metrics, uptime checks, and alerting, not on querying raw log data like VPC Flow Logs.

8
Drag & Dropmedium

Drag and drop the steps to configure IAM roles for a service account to access Cloud Storage from a Compute Engine instance into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The service account must be attached to the instance before it can be used. Granting roles is done on the service account.

9
Multi-Selecthard

Which THREE are required to configure Workload Identity for a GKE cluster? (Choose 3)

Select 3 answers
A.Create a Google Cloud service account
B.Create a Kubernetes service account
C.Enable Workload Identity on the GKE cluster
D.Bind the Kubernetes service account to the Google Cloud service account using a Kubernetes RoleBinding
E.Use a node pool that has Workload Identity enabled
AnswersA, B, C

The GSA is used to grant permissions to the Kubernetes service account.

Why this answer

Option A is correct because a Google Cloud service account (GSA) is required to authenticate to Google Cloud APIs from within GKE. Workload Identity maps a Kubernetes service account (KSA) to a GSA, allowing pods to inherit the GSA's IAM permissions without managing static keys. The GSA must be created first to define the identity that workloads will assume.

Exam trap

Google Cloud often tests the distinction between Kubernetes RoleBinding (for RBAC) and IAM policy binding (for Workload Identity), leading candidates to incorrectly select a RoleBinding as the binding mechanism.

10
MCQhard

A company runs a service on Cloud Run that needs to access a Cloud SQL instance via private IP. Both are in the same VPC network. The service cannot connect to the database. What is the most likely cause?

A.Cloud Run must be deployed in the same zone as Cloud SQL.
B.The IAM permissions for Cloud Run to access Cloud SQL are missing.
C.A firewall rule is blocking traffic.
D.Cloud Run needs a Serverless VPC Access connector.
E.The Cloud SQL instance needs a public IP assigned.
AnswerD

Correct. Serverless VPC Access enables Cloud Run to reach VPC resources.

Why this answer

Cloud Run services run in a Google-managed environment and cannot directly reach resources on a VPC network via private IP. A Serverless VPC Access connector is required to bridge the serverless environment to the VPC, enabling private IP connectivity to Cloud SQL. Without this connector, the Cloud Run service cannot route traffic to the Cloud SQL private IP, even if both are in the same VPC network.

Exam trap

Google Cloud often tests the misconception that being in the same VPC network automatically grants connectivity, but serverless services like Cloud Run require an explicit Serverless VPC Access connector to route traffic into the VPC.

How to eliminate wrong answers

Option A is wrong because Cloud Run is a serverless, zonal-agnostic service; it does not need to be in the same zone as Cloud SQL, and zone affinity does not affect private IP connectivity. Option B is wrong because IAM permissions (e.g., Cloud SQL Client role) control access to the Cloud SQL API for management operations, not network-level connectivity to the database's private IP; the issue is network routing, not authorization. Option C is wrong because firewall rules control traffic at the network layer, but Cloud Run cannot even send traffic into the VPC without a connector, so a firewall rule is not the primary cause.

Option E is wrong because the question specifies that the Cloud SQL instance uses private IP; assigning a public IP would expose the database to the internet and is unnecessary for private connectivity, and the problem is the lack of a routing path, not the IP type.

11
MCQeasy

A company is migrating a monolithic e-commerce application to Google Cloud. The application has been refactored into microservices. Most services are stateless and can run on Cloud Run. However, the checkout service requires maintaining session state across multiple requests, and the session data must be available globally for low latency. The application will be deployed in multiple regions to serve a global user base. Which approach should the company take?

A.Run the checkout service on Compute Engine with regional managed instance groups and Cloud Filestore
B.Use Cloud Run with session affinity and in-memory caching within each instance
C.Deploy the checkout service on Cloud Run in multiple regions, and use Memorystore (Redis) with replication as the session store
D.Deploy the checkout service on Google Kubernetes Engine using StatefulSets and regional persistent disks
AnswerC

Cloud Run can scale globally, and Memorystore provides a fast, shared session store.

Why this answer

Option C is correct because Memorystore (Redis) with replication provides a globally accessible, low-latency session store that can be used by Cloud Run instances in multiple regions. Redis replication ensures data durability and high availability, while Cloud Run's stateless nature is complemented by externalizing session state to a managed caching layer. This architecture meets the requirement for global session data availability without coupling state to individual compute instances.

Exam trap

The trap here is that candidates may assume session affinity (sticky sessions) is sufficient for stateful services on Cloud Run, but they overlook that Cloud Run instances are stateless and ephemeral, making external session storage like Redis mandatory for global, durable session management.

How to eliminate wrong answers

Option A is wrong because Compute Engine with regional managed instance groups and Cloud Filestore introduces unnecessary infrastructure complexity and latency; Cloud Filestore is a file storage service not designed for low-latency session state across global regions, and it lacks the in-memory performance needed for session data. Option B is wrong because Cloud Run with session affinity and in-memory caching within each instance cannot guarantee global session availability; session affinity only pins a client to a specific instance, but Cloud Run instances are ephemeral and can be terminated, losing in-memory session data, and cross-region access is not supported. Option D is wrong because Google Kubernetes Engine with StatefulSets and regional persistent disks ties session state to specific pods and disks, which cannot be shared globally across regions; persistent disks are zonal resources and do not provide low-latency access from multiple regions, defeating the global requirement.

12
MCQeasy

What will happen to this instance during a Google-initiated maintenance event?

A.The instance will be migrated and then restarted.
B.The instance will be terminated and then restarted after maintenance.
C.The instance will be preempted and deleted.
D.The instance will stop and remain stopped.
E.The instance will be live-migrated to another host.
AnswerB

Correct. TERMINATE with automaticRestart=true causes termination followed by restart.

Why this answer

During a Google-initiated maintenance event, a standard (non-live-migratable) Compute Engine instance is terminated and then restarted on another host after the maintenance is complete. This behavior is controlled by the instance's 'onHostMaintenance' setting; when set to 'TERMINATE' (the default for instances with GPUs or certain configurations), the instance is stopped, the host undergoes maintenance, and then the instance is restarted. Option B correctly describes this termination-and-restart sequence.

Exam trap

Google Cloud often tests the misconception that all instances are live-migrated by default, but the trap here is that instances with GPUs, local SSDs, or certain machine types are terminated instead, and candidates must recognize the 'TERMINATE' behavior as the correct answer.

How to eliminate wrong answers

Option A is wrong because 'migrated and then restarted' describes a live migration process, which is not used for instances that are terminated during maintenance; live migration keeps the instance running without restart. Option C is wrong because 'preempted and deleted' applies to preemptible VMs, which are terminated after 24 hours or when capacity is needed, not during standard maintenance events. Option D is wrong because the instance does not remain stopped; it is restarted after maintenance completes.

Option E is wrong because live migration is only used when 'onHostMaintenance' is set to 'MIGRATE', which is not the case for instances that undergo termination; the question implies a scenario where termination occurs.

13
MCQmedium

A company wants to migrate an on-premises Oracle database to Google Cloud. They need high availability and want to minimize application changes. Which service should they use?

A.Cloud SQL for MySQL
B.Bare Metal Solution
C.Cloud Spanner
D.Compute Engine with Oracle license
AnswerB

Bare Metal Solution offers dedicated Oracle-optimized hardware with minimal application changes.

Why this answer

Bare Metal Solution is correct because it provides dedicated physical servers for Oracle workloads, enabling high availability through Oracle RAC or Data Guard while preserving the existing Oracle database architecture. This minimizes application changes since the database remains Oracle-native, unlike managed services that require migration to a different database engine.

Exam trap

The trap here is that candidates often choose Compute Engine with Oracle license (Option D) thinking it is the most flexible, but they overlook the high-availability requirement and the operational overhead of manually configuring Oracle RAC or Data Guard, which Bare Metal Solution simplifies with a managed infrastructure.

How to eliminate wrong answers

Option A is wrong because Cloud SQL for MySQL is a managed MySQL service, not compatible with Oracle databases, requiring a full database migration and application code changes. Option C is wrong because Cloud Spanner is a globally distributed, horizontally scalable relational database that uses a proprietary SQL dialect, not Oracle-compatible, necessitating significant application rewrites. Option D is wrong because Compute Engine with Oracle license requires manual configuration for high availability (e.g., setting up Oracle RAC or Data Guard) and does not provide the same level of managed infrastructure as Bare Metal Solution, increasing operational complexity.

14
MCQmedium

A company has two VPC networks in the same project: 'vpc-prod' and 'vpc-dev'. They want to allow communication between instances in both VPCs. What is the simplest method?

A.Create a VPC Network Peering connection between them
B.Set up a Cloud VPN tunnel between the two VPCs
C.Configure a custom route in each VPC pointing to the other's subnet
D.Add firewall rules allowing traffic between the VPCs
AnswerA

VPC Network Peering enables direct, private connectivity.

Why this answer

VPC Network Peering is the simplest method because it directly connects two VPCs using Google's internal infrastructure, allowing private RFC 1918 IP communication across the networks without requiring external gateways, VPN tunnels, or additional bandwidth costs. It requires no routes to be manually configured—Google automatically adds the necessary routes for each peered VPC's subnets—and only a single firewall rule to permit traffic between the instances.

Exam trap

Google Cloud often tests the misconception that firewall rules alone can enable inter-VPC communication, but candidates must remember that firewall rules are only effective after a connectivity mechanism (like peering or VPN) is in place.

How to eliminate wrong answers

Option B is wrong because a Cloud VPN tunnel introduces unnecessary complexity and latency by routing traffic over the public internet or through Cloud VPN gateways, whereas VPC peering uses Google's internal backbone with lower latency and no per-tunnel charges. Option C is wrong because custom routes alone cannot enable inter-VPC communication; routes only direct traffic to a next hop, but without a peering connection or VPN tunnel, there is no path for the packets to travel between the VPCs. Option D is wrong because firewall rules only control allowed traffic within a VPC or between VPCs that already have a connectivity mechanism (like peering or VPN); they do not establish the underlying network link required for packets to leave one VPC and enter another.

15
Multi-Selecteasy

Which TWO statements about Google Cloud VPC networks are true? (Choose two.)

Select 2 answers
A.Subnets are regional resources.
B.VPC networks are global resources.
C.VPC networks are project-level resources.
D.Firewall rules are regional.
E.Subnets are zonal resources.
AnswersA, B

Subnets are regional and can span zones.

Why this answer

Subnets in Google Cloud VPC are regional resources. When you create a subnet, you specify a region and a CIDR block, and the subnet spans all zones within that region. This allows resources in different zones of the same region to use the same subnet without additional configuration.

Exam trap

The trap here is that candidates often confuse subnets as zonal resources (like in AWS or on-premises networking) and firewall rules as regional, but Google Cloud VPC treats subnets as regional and firewall rules as global, which is a key differentiator tested on the PCA exam.

16
MCQmedium

A company runs a microservices application on Google Kubernetes Engine (GKE). Each service is deployed as a Deployment with resource requests and limits. After deploying a new version of a service, the pods start crashing with OOMKilled. The team increased the memory limits in the Deployment manifest, but the pods still crash after a few minutes. The cluster has cluster autoscaling enabled. The node pool has sufficient capacity. What is the most likely cause of the issue?

A.The Horizontal Pod Autoscaler is configured with a wrong target metric
B.The cluster autoscaler is not scaling up quickly enough
C.The application has a memory leak
D.The pods are hitting the node's ephemeral storage limit
AnswerC

Memory leak causes continuously increasing memory usage, leading to OOMKilled even with higher limits.

Why this answer

Option C is correct because the pods are crashing with OOMKilled even after increasing memory limits, and the node pool has sufficient capacity. This indicates the application itself has a memory leak, where memory usage grows unbounded over time until it exceeds the new limit, causing the OOMKiller to terminate the pod. Increasing limits only delays the crash if the leak persists.

Exam trap

The trap here is that candidates confuse resource limits with scaling mechanisms, assuming that increasing limits or enabling autoscaling fixes memory exhaustion, rather than recognizing the application-level memory leak as the root cause.

How to eliminate wrong answers

Option A is wrong because the Horizontal Pod Autoscaler (HPA) scales the number of pods based on CPU/memory utilization, but it does not prevent individual pods from being OOMKilled; the issue is per-pod memory exhaustion, not scaling. Option B is wrong because cluster autoscaler scales node count when pods are unschedulable due to resource shortage, but the node pool has sufficient capacity, so the autoscaler is not the bottleneck. Option D is wrong because ephemeral storage limits affect disk space, not memory; OOMKilled is a memory-related termination, not a storage issue.

17
MCQeasy

A developer needs to programmatically create and manage Compute Engine instances. Which Google Cloud service should they use to authenticate and authorize service accounts?

A.Cloud Audit Logs
B.Cloud Key Management Service (KMS)
C.Cloud Scheduler
D.Cloud IAM
AnswerD

IAM manages service accounts and permissions.

Why this answer

Cloud IAM is the correct service because it provides the identity and access management framework for authenticating and authorizing service accounts. When a developer creates Compute Engine instances, they must attach a service account and grant IAM roles (e.g., roles/compute.instanceAdmin) to define what actions that service account can perform. Cloud IAM handles the authentication via OAuth 2.0 tokens and authorization via role-based access control (RBAC), making it the foundational service for managing service account permissions.

Exam trap

Google Cloud often tests the misconception that Cloud Audit Logs or Cloud KMS can handle authentication/authorization, but candidates must remember that only Cloud IAM manages identities and permissions, while the other options serve logging or encryption purposes.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs is a logging service that records API calls and administrative actions, not a service for authenticating or authorizing service accounts. Option B is wrong because Cloud Key Management Service (KMS) manages cryptographic keys for encryption, not identity or permission management for service accounts. Option C is wrong because Cloud Scheduler is a cron-job service for triggering tasks on a schedule, and it has no role in authentication or authorization of service accounts.

18
MCQhard

An organization has multiple projects in Google Cloud and wants to centralize logging and monitoring for all projects. They need to aggregate logs from all projects into a single project for analysis. Which approach should they use?

A.Export logs from each project to a Cloud Storage bucket and then import them into BigQuery.
B.Enable Cloud Audit Logs for all projects and view them from the central project.
C.Install the Stackdriver agent on all VMs and point them to the central project.
D.Create a logs sink in each project that exports logs to a BigQuery dataset in the central project.
AnswerD

Logs sinks can route any log entries to BigQuery.

Why this answer

Option D is correct because Google Cloud's logs sink feature allows you to route logs from multiple source projects to a centralized BigQuery dataset in a single destination project. This approach aggregates logs efficiently without requiring agents or manual import steps, and it supports real-time log export for analysis.

Exam trap

The trap here is that candidates confuse the Stackdriver agent (which collects logs from VMs) with the logs sink feature (which routes logs from projects), leading them to choose Option C instead of the correct centralized export method.

How to eliminate wrong answers

Option A is wrong because exporting logs to Cloud Storage and then importing them into BigQuery adds unnecessary latency and complexity; logs sinks can export directly to BigQuery. Option B is wrong because Cloud Audit Logs are enabled per project and cannot be centrally viewed without aggregation; they must be exported via sinks to a central project. Option C is wrong because the Stackdriver agent (now legacy) is used for collecting VM metrics and logs, but it cannot aggregate logs from multiple projects into a single central project; logs sinks are the correct mechanism for cross-project log aggregation.

19
MCQhard

A company runs a batch processing workload on Compute Engine instances. The workload is triggered every hour and runs for about 10 minutes. They want to reduce costs. They currently use preemptible VMs, but they notice that sometimes the workload fails because VMs are preempted before completion. They need a cost-effective solution that ensures the workload completes reliably. What should they do?

A.Increase the machine size of the preemptible VMs to finish faster.
B.Provision a commitment-based discount for standard VMs.
C.Use standard (non-preemptible) VMs to avoid preemption.
D.Create a custom machine type with minimal resources and use a managed instance group with preemptible VMs, combined with a startup script that retries on failure.
AnswerD

Custom machine types match the exact resource needs, avoiding waste. Preemptible VMs are cheap, and the managed instance group will recreate VMs if preempted. A startup script that retries ensures reliability.

Why this answer

Option D is correct because it combines the cost savings of preemptible VMs with reliability through a managed instance group (MIG) and a retry startup script. The MIG automatically recreates VMs if preempted, and the startup script ensures the batch workload restarts from where it left off or retries the entire job, guaranteeing completion at minimal cost.

Exam trap

The trap here is that candidates assume standard VMs are the only reliable option, overlooking that managed instance groups with preemptible VMs and retry logic provide both reliability and cost savings.

How to eliminate wrong answers

Option A is wrong because increasing machine size does not prevent preemption; preemptible VMs can be terminated at any time regardless of size, and larger machines may actually increase cost without solving the reliability issue. Option B is wrong because commitment-based discounts (e.g., 1-year or 3-year commitments) require a sustained usage baseline, but this workload runs only 10 minutes per hour, making commitments cost-ineffective and inflexible. Option C is wrong because while standard VMs avoid preemption, they are significantly more expensive than preemptible VMs, and the goal is a cost-effective solution, not just reliability.

20
MCQeasy

An organization needs to ensure that only Compute Engine instances with a specific label can access a Cloud Storage bucket. Which policy type should be used?

A.Organization policy
B.Firewall rule
C.IAM policy
D.Signed URL
AnswerC

IAM conditions can enforce label-based access to Cloud Storage.

Why this answer

IAM policies are the correct mechanism to control access to Cloud Storage buckets based on identity and conditions. By attaching an IAM policy to the bucket with a condition that checks for a specific label on the requesting Compute Engine instance (e.g., using `resource.labels.tag`), you can restrict access to only those instances that have that label. This is the native Google Cloud way to implement attribute-based access control (ABAC) for storage resources.

Exam trap

The trap here is that candidates often confuse IAM conditions with Organization policies or firewall rules, thinking that network-level controls can enforce label-based access to Cloud Storage, when in fact only IAM with conditions can evaluate resource metadata like labels at the API level.

How to eliminate wrong answers

Option A is wrong because Organization policies are used to enforce constraints on all resources within an organization (e.g., disabling service creation), not to grant or deny access to individual resources like a Cloud Storage bucket based on instance labels. Option B is wrong because Firewall rules control network traffic at the VPC level (IP addresses, ports, protocols) and cannot evaluate instance labels or grant access to Cloud Storage, which is a global service accessed via HTTPS. Option D is wrong because Signed URLs provide time-limited access to specific objects in a bucket without requiring authentication, but they cannot restrict access based on the requesting instance's labels; they are designed for sharing objects externally, not for internal access control.

21
MCQhard

An organization policy at the organization level restricts project creation to only Project Creator role holders. The exhibit shows the IAM policy for the organization. A member of the group pm-team@example.com attempts to create a project but receives a permission denied error. What is the most likely cause?

A.The user's email domain is not allowed by the organization policy.
B.An organization policy with a constraint to block project creation for non-allowlisted users is enforced.
C.The group pm-team@example.com does not exist.
D.The IAM policy is missing the resourcemanager.projectCreator role.
AnswerB

Organization policy can deny project creation even if IAM allows it.

Why this answer

Option B is correct because the organization policy explicitly restricts project creation to only users who hold the Project Creator role. The user is a member of pm-team@example.com but does not have the Project Creator role, so the policy denies the request. This is a common IAM constraint at the organization level that overrides any lower-level permissions.

Exam trap

Google Cloud often tests the distinction between IAM roles and organization policies, where candidates mistakenly think that having a role at any level is sufficient, ignoring that organization-level constraints can block actions even with the correct role at a lower level.

How to eliminate wrong answers

Option A is wrong because the organization policy does not mention any email domain restriction; the error is due to role absence, not domain. Option C is wrong because if the group did not exist, the user would not be a member and the error would be different (e.g., 'group not found'), not a permission denied on project creation. Option D is wrong because the IAM policy shown includes the resourcemanager.projectCreator role for the group, but the organization policy overrides it by restricting creation to only Project Creator role holders, meaning the user lacks the specific role binding required by the policy.

22
MCQmedium

Refer to the exhibit. A developer wants to SSH into instance-1 from their local machine. Which command should they use?

A.gcloud compute ssh instance-2
B.gcloud compute ssh instance-1 --project default
C.gcloud compute ssh instance-1 --internal-ip
D.gcloud compute ssh instance-1 --zone us-central1-a
AnswerD

This command uses the external IP via SSH keys managed by gcloud.

Why this answer

Option D is correct because the `gcloud compute ssh` command requires the `--zone` flag when the zone is not set in the gcloud configuration or when the instance is in a different zone than the default. In this scenario, instance-1 is in zone us-central1-a, so specifying `--zone us-central1-a` ensures the SSH connection targets the correct instance. Without this flag, the command may fail or connect to the wrong instance if the default zone is different.

Exam trap

The trap here is that candidates often overlook the zone requirement and assume the `--project` flag or omitting the zone will work, but the PCA exam tests the precise need for zone specification when the default zone is not set or differs from the instance's zone.

How to eliminate wrong answers

Option A is wrong because it specifies instance-2 instead of instance-1, which is the target instance the developer wants to SSH into. Option B is wrong because the `--project default` flag sets the project ID, but the issue here is the zone, not the project; the command would still fail if the zone is not correctly specified or defaults to a different zone. Option C is wrong because `--internal-ip` forces the SSH connection to use the internal IP address, which is not reachable from a local machine outside the VPC network; this flag is only useful when connecting from within the same network.

23
MCQhard

A company is migrating a large on-premises SQL Server database to Cloud SQL for SQL Server. The database is 2 TB in size and must have minimal downtime. Which approach should they use?

A.Set up a Cloud SQL HA instance and replicate on-premises using Always On availability groups
B.Export the database to CSV files, then import using Cloud SQL import
C.Use Database Migration Service (DMS) for continuous one-way replication
D.Perform a full backup to Cloud Storage, then restore into Cloud SQL
AnswerC

DMS provides near-zero downtime migration for SQL Server.

Why this answer

Database Migration Service (DMS) supports continuous one-way replication from on-premises SQL Server to Cloud SQL for SQL Server using native SQL Server transaction log shipping or Always On availability group replication. This minimizes downtime by keeping the target synchronized during the migration cutover, which is critical for a 2 TB database where a full backup/restore would cause extended downtime.

Exam trap

The trap here is that candidates often assume a full backup/restore (Option D) is the simplest and fastest method, but for large databases with minimal downtime requirements, continuous replication via DMS is the only viable option, and Cloud SQL HA (Option A) is a high-availability feature for within Cloud SQL, not for hybrid replication from on-premises.

How to eliminate wrong answers

Option A is wrong because setting up a Cloud SQL HA instance with Always On availability groups for replication from on-premises is not a supported configuration; Cloud SQL for SQL Server does not support Always On availability groups as a replication target from external sources. Option B is wrong because exporting a 2 TB database to CSV files is impractical for minimal downtime due to the time required for export, transfer, and import, and it does not provide continuous replication to avoid downtime. Option D is wrong because performing a full backup to Cloud Storage and restoring into Cloud SQL requires taking the on-premises database offline for the duration of the backup and restore, which does not meet the minimal downtime requirement.

24
MCQmedium

A developer runs the command above. The instance is created successfully, but cannot be reached via HTTP from the internet. What is the most likely cause?

A.There is no firewall rule allowing ingress traffic on ports 80 and 443.
B.The machine type n1-standard-2 is not suitable for HTTP.
C.The image family debian-10 does not support HTTP.
D.The boot disk type pd-standard is too slow.
AnswerA

Tags alone don't open ports; firewall rules needed.

Why this answer

The most likely cause is that there is no firewall rule allowing ingress traffic on ports 80 and 443. By default, Google Cloud Platform (GCP) firewall rules block all incoming traffic from the internet. Even though the instance is created successfully, HTTP/HTTPS traffic cannot reach it unless a firewall rule explicitly permits ingress on TCP ports 80 and 443, typically via a target tag like 'http-server' or 'https-server'.

Exam trap

Google Cloud often tests the misconception that creating a VM with a public IP automatically makes it reachable from the internet, when in reality GCP's default firewall rules block all ingress traffic until explicitly opened.

How to eliminate wrong answers

Option B is wrong because the machine type n1-standard-2 is a general-purpose machine that fully supports HTTP traffic; machine type does not affect protocol support. Option C is wrong because the image family debian-10 is a standard Linux distribution that supports HTTP out of the box; the OS image does not determine network reachability. Option D is wrong because the boot disk type pd-standard (standard persistent disk) provides sufficient I/O for basic HTTP serving; disk speed does not prevent the instance from being reached via HTTP from the internet.

25
MCQhard

Your company runs a stateful web application on Compute Engine instances in a managed instance group (MIG) with autoscaling based on CPU utilization. The application maintains session state in memory on each instance. Recently, users have been experiencing session timeouts and data loss during scaling events. Additionally, the application's performance degrades under load due to frequent database queries for session data. You need to design a solution that ensures session persistence, improves performance, and minimizes application changes. The application is written in Java and uses Tomcat. Which of the following should you do?

A.Rewrite the application to be stateless by moving all state to the frontend using JWT tokens, eliminating the need for server-side sessions.
B.Deploy Cloud Memorystore for Redis as a session store, and configure Tomcat to use Redis-backed session persistence using the Redisson or Spring Session framework.
C.Configure the load balancer to use session affinity (sticky sessions) and increase the instance size to handle more sessions per instance.
D.Store session data in Cloud SQL using Spring Session JDBC, and configure the application to retrieve sessions from the database.
AnswerB

Redis provides fast, in-memory session storage accessible by all instances, ensuring persistence and performance with minimal code changes.

Why this answer

Option B is correct because it introduces an external, highly available, in-memory session store (Cloud Memorystore for Redis) that decouples session state from individual Compute Engine instances. This eliminates session loss during autoscaling events and reduces database load by serving session data from fast Redis memory, all while requiring minimal application changes via Tomcat's built-in session persistence or Spring Session integration.

Exam trap

The trap here is that candidates often choose session affinity (sticky sessions) thinking it solves session persistence, but it only routes traffic to the same instance and does not protect against session loss when that instance is terminated during autoscaling or maintenance.

How to eliminate wrong answers

Option A is wrong because rewriting the application to be stateless with JWT tokens moves session state to the frontend, which requires significant application changes and does not address the existing Tomcat session management; it also shifts security and token management complexity without solving the immediate session persistence issue. Option C is wrong because session affinity (sticky sessions) ties a user to a specific instance, which does not prevent session loss when that instance is terminated during autoscaling; increasing instance size only delays the problem and does not provide a shared, durable session store. Option D is wrong because storing session data in Cloud SQL (a relational database) introduces latency and contention for frequent session reads/writes, degrading performance under load, and it does not leverage the in-memory speed needed for session persistence; it also requires more application changes than using Redis with Tomcat.

26
MCQhard

Refer to the exhibit. A Cloud Deployment Manager deployment fails with the error 'Resource 'my-firewall' already exists'. What is the most likely cause?

A.The user lacks IAM permissions to create firewall rules.
B.The network reference in the firewall rule is incorrect.
C.A firewall rule with the name 'my-firewall' already exists in the project.
D.The deployment does not include a 'delete' policy for existing resources.
AnswerC

The error clearly indicates the resource already exists.

Why this answer

Option C is correct because the error message 'Resource 'my-firewall' already exists' directly indicates that a firewall rule with the exact name 'my-firewall' is already present in the project. Cloud Deployment Manager creates resources by name, and if a resource with the same name exists (even if it was created outside the deployment), the deployment will fail unless the deployment is configured to adopt or manage that existing resource. The error is not about permissions, network references, or missing delete policies—it is a name collision.

Exam trap

Google Cloud often tests the distinction between resource name conflicts and other common errors (permissions, invalid references) to see if candidates can interpret the exact error message rather than guessing based on general troubleshooting.

How to eliminate wrong answers

Option A is wrong because an IAM permission issue would produce an error like 'Permission denied' or 'Required permission compute.firewalls.create', not a 'Resource already exists' error. Option B is wrong because an incorrect network reference would cause a validation error such as 'Invalid value for field 'network'' or a 400 Bad Request, not a resource name conflict. Option D is wrong because Deployment Manager does not require a 'delete' policy for existing resources; the 'delete' policy controls what happens to resources when the deployment is deleted, not whether a deployment can create a resource with a duplicate name.

27
Multi-Selecteasy

A company wants to enable a new DevOps team to have read-only access to logs in the default Cloud Logging bucket for their project, but prevent them from modifying log views or creating linked datasets in BigQuery. Which two IAM roles should be granted to the team?

Select 2 answers
A.roles/logging.viewAccessor
B.roles/logging.configWriter
C.roles/logging.admin
D.roles/logging.viewer
E.roles/bigquery.dataViewer
AnswersA, D

Allows viewing of log views without modifying them.

Why this answer

The roles/logging.viewAccessor role grants read-only access to log entries in Cloud Logging buckets, including the default bucket, without allowing modifications to log views or linked datasets. The roles/logging.viewer role provides broader read-only access to all Logging resources, including logs, but still prevents modifying log views or creating linked datasets in BigQuery. Together, these two roles satisfy the requirement of read-only log access while explicitly excluding permissions to alter log views or manage BigQuery linked datasets.

Exam trap

The trap here is that candidates often confuse roles/logging.viewer with roles/logging.viewAccessor, thinking they are interchangeable, but the exam tests the distinction that viewAccessor is bucket-scoped and viewer is project-scoped, and both are needed to cover the default bucket access without granting modification permissions.

28
MCQhard

A company has a production database running on Cloud SQL. They need to ensure high availability with automatic failover in the event of a zone outage. What should they do?

A.Export the database to Cloud Storage and import in another region.
B.Enable Cloud SQL High Availability (HA) configuration.
C.Create a cross-region read replica.
D.Configure automated backups.
AnswerB

HA provides automatic failover to standby in another zone.

Why this answer

Enabling Cloud SQL High Availability (HA) configuration provisions a standby instance in a different zone within the same region, using synchronous replication to ensure zero data loss. In the event of a zone outage, Cloud SQL automatically fails over to the standby instance, typically within 60 seconds, providing high availability without manual intervention.

Exam trap

Google Cloud often tests the distinction between high availability (automatic failover within a region) and disaster recovery (cross-region replication or backups), leading candidates to confuse read replicas or backups with HA solutions.

How to eliminate wrong answers

Option A is wrong because exporting to Cloud Storage and importing in another region is a manual, disaster recovery process that does not provide automatic failover and incurs significant downtime. Option C is wrong because a cross-region read replica is designed for read scaling and asynchronous replication, not for automatic failover; promoting a read replica requires manual steps and may result in data loss. Option D is wrong because automated backups protect against data corruption or accidental deletion but do not provide a standby instance for automatic failover during a zone outage.

29
MCQeasy

Refer to the exhibit. What is the effect of this IAM policy on a Cloud Storage bucket?

A.All users from example.com can view objects.
B.Only Alice can view objects.
C.Alice and all users from example.com can view objects.
D.Alice can view objects but not list buckets.
AnswerC

The bindings include both Alice and the entire domain.

Why this answer

The IAM policy grants the `storage.objectViewer` role to both the user `alice@example.com` and the domain `example.com`. This means Alice and all authenticated users from the example.com domain (i.e., any Google account ending in @example.com) can view objects in the bucket. The correct answer is C because the policy explicitly includes both principals.

Exam trap

Google Cloud often tests the additive nature of IAM policies — candidates mistakenly think a more specific user binding overrides a broader domain binding, but in reality, all granted permissions are combined, not mutually exclusive.

How to eliminate wrong answers

Option A is wrong because it ignores the specific user `alice@example.com`; the policy grants access to Alice as well, not just all users from example.com. Option B is wrong because the policy also grants access to all users from example.com, not only Alice. Option D is wrong because the `storage.objectViewer` role includes the permission to list objects (via `storage.objects.list`) and view objects (via `storage.objects.get`); it does not restrict listing buckets, and the policy does not mention bucket listing at all.

30
MCQhard

What is the networking mode of this GKE cluster?

A.VPC-native networking
B.Hybrid networking
C.Standard networking
D.Routes-based networking
E.Private cluster networking
AnswerA

Correct. IP aliases and secondary ranges indicate VPC-native mode.

Why this answer

A is correct because VPC-native networking is the default and recommended networking mode for GKE clusters, where the cluster uses alias IP ranges (RFC 6598) on the VPC network. This mode assigns pod IP addresses directly from the VPC subnet's secondary IP range, enabling native integration with VPC features like Cloud NAT, VPC Flow Logs, and firewall rules without requiring manual route management.

Exam trap

The trap here is that candidates confuse 'private cluster' (a cluster with internal-only node IPs) with a networking mode, when in fact private clusters can use either VPC-native or routes-based networking, and the question specifically asks for the networking mode.

How to eliminate wrong answers

Option B is wrong because hybrid networking refers to connecting on-premises networks to Google Cloud via Cloud VPN or Dedicated Interconnect, not to the internal networking mode of a GKE cluster. Option C is wrong because standard networking is not a recognized GKE networking mode; GKE uses either VPC-native or routes-based networking. Option D is wrong because routes-based networking is a legacy mode that relies on custom static routes and iptables for pod-to-pod communication, but it is not the default and is being phased out in favor of VPC-native.

Option E is wrong because private cluster networking is a cluster configuration (where nodes have internal-only IPs) that can be used with either VPC-native or routes-based networking; it is not a distinct networking mode.

31
MCQmedium

A company is migrating a stateful application to Google Cloud. The application requires persistent disks with low latency and high IOPS for database workloads. They plan to use Compute Engine instances with SSD persistent disks. However, the database performance is lower than expected. Which action should the company take to improve disk performance?

A.Change the persistent disk type to standard persistent disk.
B.Increase the disk size to increase baseline IOPS.
C.Use local SSDs with RAID 0 configuration for the database data.
D.Enable disk encryption to improve I/O throughput.
AnswerC

Local SSDs provide higher IOPS and lower latency than persistent disks. Using RAID 0 stripes data across multiple local SSDs for even higher performance.

Why this answer

Option C is correct because local SSDs provide the highest IOPS and lowest latency of any disk option on Compute Engine, and striping them with RAID 0 aggregates their performance. This directly addresses the need for high IOPS and low latency for database workloads, unlike persistent disks which have performance ceilings tied to disk size and instance limits.

Exam trap

The trap here is that candidates often assume increasing persistent disk size is the only way to improve IOPS, overlooking that local SSDs provide dramatically higher performance by being directly attached to the instance, and that RAID 0 is a common technique to aggregate their performance.

How to eliminate wrong answers

Option A is wrong because standard persistent disks have lower IOPS and higher latency than SSD persistent disks, which would worsen performance, not improve it. Option B is wrong because while increasing disk size does increase baseline IOPS for SSD persistent disks, the performance gain is limited by the persistent disk's architecture and does not match the raw throughput of local SSDs; it also increases cost without solving the latency issue. Option D is wrong because enabling disk encryption (e.g., using CMEK or CSEK) does not improve I/O throughput; encryption adds a small CPU overhead for encryption/decryption operations and can slightly reduce performance.

32
MCQmedium

A company is deploying a web application on Google Kubernetes Engine. The application serves HTTP traffic and needs to scale based on CPU utilization. They also need to expose the application to the internet with a single global IP address. They create a Deployment with a HorizontalPodAutoscaler. However, the application is not receiving traffic from the internet. What should they do to expose the application correctly?

A.Create an Ingress resource with the GCE ingress controller.
B.Create a Service of type NodePort and use a firewall rule to allow traffic.
C.Create a Service of type ClusterIP and a load balancer manually.
D.Define a Network Endpoint Group (NEG) and attach it to a backend service.
AnswerA

The GCE ingress controller provisions an external HTTP(S) load balancer with a single anycast IP address, which meets the requirement for a global IP.

Why this answer

The correct approach is to create an Ingress resource with the GCE ingress controller because it provides a single global IP address via an HTTP(S) load balancer, which is required for internet-facing traffic. The HorizontalPodAutoscaler scales the Deployment based on CPU utilization, but the application must be exposed through a Service (typically of type NodePort or ClusterIP) that the Ingress routes to. The GCE ingress controller automatically provisions a global HTTP(S) load balancer, satisfying the requirement for a single global IP address.

Exam trap

The trap here is that candidates often confuse exposing a service with a LoadBalancer type (which gives a regional IP) versus using an Ingress (which gives a global IP), and they overlook that the question explicitly requires a single global IP address, which only the GCE ingress controller can provide.

How to eliminate wrong answers

Option B is wrong because a Service of type NodePort exposes the application on a high port on each node's IP, but it does not provide a single global IP address; it requires a firewall rule and manual load balancing, which is not scalable or global. Option C is wrong because a Service of type ClusterIP is only reachable within the cluster, not from the internet, and manually creating a load balancer would not integrate with GKE's managed ingress or provide a single global IP efficiently. Option D is wrong because a Network Endpoint Group (NEG) is a lower-level construct used for container-native load balancing, but it must be attached to a backend service of a load balancer; simply defining a NEG does not expose the application to the internet without an Ingress or a load balancer configuration.

33
Multi-Selectmedium

Which THREE of the following are best practices when using Deployment Manager to manage infrastructure? (Choose three.)

Select 3 answers
A.Use raw REST API calls in templates.
B.Use templates to define resources modularly.
C.Use only YAML configuration files.
D.Use imports to reference shared configurations.
E.Use composite types to bundle related resources.
AnswersB, D, E

Correct. Templates are reusable.

Why this answer

Using templates promotes reusability and modularity. Imports allow you to define common resources across deployments. Composite types bundle related resources into a single entity.

YAML files are basic, but using Python or Jinja allows dynamic generation. The three best practices are using templates, imports, and composite types.

34
MCQmedium

A Cloud Function fails to connect to a Cloud SQL instance. The Cloud SQL instance has a private IP. What should the developer check?

A.Ensure the Cloud SQL Proxy is running and configured.
B.Verify the Cloud Function's network settings.
C.Ensure either Cloud SQL Proxy is running or a VPC connector is configured, and IAM permissions are correct.
D.Configure a VPC connector for the Cloud Function.
AnswerC

Both connectivity and authorization must be in place.

Why this answer

Option C is correct because a Cloud Function with a private IP Cloud SQL instance requires either the Cloud SQL Proxy (which uses the Cloud SQL Auth proxy to establish an encrypted connection via the public IP, but if the instance has only a private IP, the proxy must be run within the same VPC) or a VPC connector to enable private networking. Additionally, proper IAM permissions (e.g., Cloud SQL Client role) are necessary for the proxy or connector to authenticate and connect. Without both the network path and IAM permissions, the connection will fail.

Exam trap

Google Cloud often tests the misconception that either a VPC connector or the Cloud SQL Proxy alone is sufficient, when in fact both the network path (via VPC connector or proxy in the VPC) and correct IAM permissions are required for private IP connectivity.

How to eliminate wrong answers

Option A is wrong because simply ensuring the Cloud SQL Proxy is running and configured is insufficient if the Cloud Function is not in the same VPC or lacks a VPC connector; the proxy alone cannot reach a private IP Cloud SQL instance from outside the VPC. Option B is wrong because verifying the Cloud Function's network settings is too vague and does not address the specific requirement of establishing a private network path via a VPC connector or proxy within the VPC. Option D is wrong because configuring a VPC connector alone is not enough; the Cloud SQL Proxy must also be running (or the connector must be paired with proper IAM permissions and the Cloud SQL Auth proxy) to handle authentication and encryption, and IAM permissions must be correct.

35
Multi-Selectmedium

A company needs to connect two VPC networks in different Google Cloud regions. The VPCs are in separate projects under the same organization. The connection must use private IP addresses and support high throughput. Which TWO options meet these requirements? (Choose 2.)

Select 2 answers
B.VPC Network Peering
C.Cloud NAT
D.Cloud VPN (HA VPN Classic)
E.Shared VPC
AnswersB, D

Correct: Cross-region and cross-project VPC peering is supported, using private IPs with high throughput.

Why this answer

VPC Network Peering works across regions and projects within the same organization, using private IPs and supporting high throughput. Cloud VPN also works across regions and projects, providing encrypted private connectivity. Shared VPC is for sharing subnets within a project, not for connecting separate projects.

Cloud NAT is for outbound internet access. HA VPN Gateway is a component of Cloud VPN, not a standalone connection method.

36
MCQmedium

A company uses Terraform to manage Google Cloud infrastructure. They want to store the Terraform state file in a remote backend with state locking to prevent concurrent modifications. Which Google Cloud service supports this natively?

A.Cloud Firestore
B.Cloud Spanner
C.Bigtable
D.Cloud Storage
E.Cloud SQL
AnswerD

Correct. Cloud Storage is the native Terraform backend for GCP.

Why this answer

Google Cloud Storage (GCS) is the only option that natively supports Terraform's remote state backend with state locking. Terraform uses GCS's object versioning and a write-lock mechanism via a separate lock file (e.g., `default.tflock`) stored in the same bucket, leveraging GCS's strong consistency for atomic operations. This prevents concurrent `terraform apply` commands from corrupting the state.

Exam trap

Google Cloud often tests the misconception that any database with locking (like Cloud Spanner or Cloud SQL) can serve as a Terraform backend, but the exam requires knowing that only services with a native Terraform backend implementation—specifically Cloud Storage—are supported for state locking.

How to eliminate wrong answers

Option A is wrong because Cloud Firestore is a NoSQL document database designed for mobile/web apps, not for Terraform state locking; it lacks native Terraform backend support. Option B is wrong because Cloud Spanner is a globally distributed relational database with strong consistency, but Terraform does not provide a native Spanner backend for state storage. Option C is wrong because Bigtable is a wide-column NoSQL database optimized for high-throughput analytics, not for Terraform state management; it has no native Terraform backend integration.

Option E is wrong because Cloud SQL is a managed relational database service (MySQL/PostgreSQL/SQL Server) that Terraform does not support as a native state backend; it would require custom tooling for locking.

37
MCQmedium

A company is migrating its on-premises application to Google Cloud. The application requires low-latency access to a shared filesystem that can be mounted by multiple Compute Engine instances across different zones. Which storage solution should they use?

A.Provision a Filestore instance and mount it on the instances.
B.Create a Persistent Disk and attach it to all instances.
C.Attach Local SSD to each instance and replicate data between them.
D.Use Cloud Storage FUSE to mount a bucket on each instance.
AnswerA

Filestore provides a managed NFS filesystem that can be mounted by multiple VMs across zones for low-latency shared access.

Why this answer

Filestore provides a fully managed, NFS-based shared filesystem that can be mounted by multiple Compute Engine instances across different zones with low-latency access. It supports the required multi-writer, multi-mount scenario natively, making it the ideal choice for shared storage in a zonal-distributed architecture.

Exam trap

The trap here is that candidates often confuse Persistent Disk's multi-attach capability (which is read-only only) with a writable shared filesystem, or assume Cloud Storage FUSE can replace a POSIX-compliant NFS share for low-latency workloads.

How to eliminate wrong answers

Option B is wrong because a Persistent Disk can only be attached to a single instance in read-write mode, or to multiple instances in read-only mode, so it cannot serve as a writable shared filesystem across multiple instances. Option C is wrong because Local SSDs are ephemeral and tied to a single instance; replicating data between them manually introduces complexity, latency, and consistency issues, and does not provide a shared filesystem. Option D is wrong because Cloud Storage FUSE presents an object store as a filesystem, which does not offer POSIX-compliant locking, low-latency metadata operations, or consistent shared-write semantics required for a shared filesystem.

38
MCQhard

An organization wants to enforce a policy that prohibits the creation of Cloud Storage buckets with uniform bucket-level access disabled. What should they use?

A.Organization policy with a list constraint.
B.IAM roles with custom permissions to deny bucket creation.
C.Cloud Audit Logs to monitor bucket creation.
D.Cloud Armor security policies.
AnswerA

Organization policies can enforce configuration constraints on resources.

Why this answer

Option C is correct: Organization policies can enforce constraints like constraints/storage.uniformBucketLevelAccess. Option A (IAM) does not prevent bucket creation with specific settings. Option B (Cloud Audit Logs) is for logging.

Option D (Cloud Armor) is for security policies at the edge.

39
MCQeasy

A user runs the gsutil command shown in the exhibit and gets an AccessDenied error. The user is not authenticated with gcloud. What should the user do first?

A.Create a service account and download a JSON key.
B.Grant public write access to the bucket.
C.Use gcloud config set project my-project to set the project.
D.Run gcloud auth login to authenticate with their Google account.
AnswerD

This will authenticate the user and allow gsutil to use their credentials.

Why this answer

The error occurs because the user is not authenticated with gcloud. The gsutil command requires valid authentication credentials to access Google Cloud Storage resources. Running `gcloud auth login` initiates the OAuth 2.0 flow, which authenticates the user with their Google account and generates the access token that gsutil uses for API calls.

This is the prerequisite step before any gsutil operation can succeed.

Exam trap

Google Cloud often tests the distinction between authentication (who you are) and authorization (what you can do); the trap here is that candidates may confuse the AccessDenied error with a bucket permission issue and jump to granting public access or setting a project, when the root cause is simply missing authentication credentials.

How to eliminate wrong answers

Option A is wrong because creating a service account and downloading a JSON key is an alternative authentication method, but it is not the first step; the user must first authenticate with gcloud (either via user account or service account) before gsutil can use those credentials. Option B is wrong because granting public write access to the bucket would bypass authentication entirely, which is a severe security misconfiguration and not a solution for an unauthenticated user; the error is about missing credentials, not bucket permissions. Option C is wrong because `gcloud config set project my-project` only sets the default project for gcloud commands but does not authenticate the user; without authentication, gsutil still cannot access any bucket regardless of the project setting.

40
MCQhard

A security team wants to audit all IAM role assignments in an organization. They need a historical record of changes. Which tool should they use?

A.Cloud Asset Inventory
B.Access Transparency
C.Cloud Audit Logs
D.Security Command Center
AnswerC

Cloud Audit Logs capture historical IAM policy changes for an organization.

Why this answer

Cloud Audit Logs (specifically Admin Activity audit logs) record all API calls that modify IAM policies, including role assignments. These logs are immutable and retained for the default retention period (400 days for Admin Activity logs), providing a historical record of changes. Cloud Asset Inventory (A) shows the current state but not historical changes, Access Transparency (B) logs Google staff access to your data, and Security Command Center (D) provides security findings and posture, not a change history.

Exam trap

Google Cloud often tests the distinction between tools that show current state (Cloud Asset Inventory) versus tools that record historical changes (Cloud Audit Logs), leading candidates to pick Cloud Asset Inventory because it 'audits' resources, but it does not provide a change history.

How to eliminate wrong answers

Option A is wrong because Cloud Asset Inventory provides a snapshot of current IAM role assignments and other resources, but it does not maintain a historical record of changes; it lacks the audit trail capability. Option B is wrong because Access Transparency logs actions performed by Google personnel when accessing your data, not IAM role assignment changes made by your own users or services. Option D is wrong because Security Command Center is a security and risk management platform that aggregates findings and vulnerabilities, but it does not natively record a chronological history of IAM policy modifications.

41
MCQhard

An organization's security policy requires that all Compute Engine VMs have Shielded VM features enabled. How can this be enforced at the organization level?

A.Create an Organization Policy with the constraint compute.requireShieldedVm.
B.Enable Cloud Audit Logs and review VM creations.
C.Use VPC Service Controls to restrict VM creation.
D.Assign a custom IAM role that only allows creation of Shielded VMs.
E.Use Deployment Manager templates that include Shielded VM.
AnswerA

Correct. This enforces Shielded VM on all new VMs.

Why this answer

Option A is correct because the Organization Policy constraint `compute.requireShieldedVm` is a Google Cloud-native mechanism that enforces Shielded VM features at the organization, folder, or project level. When this constraint is applied, any Compute Engine VM creation request that does not include Shielded VM settings (such as Secure Boot, vTPM, and Integrity Monitoring) is denied by the Organization Policy service, ensuring compliance without relying on user behavior or manual review.

Exam trap

Google Cloud often tests the distinction between enforcement mechanisms (like Organization Policies) and detection or automation tools (like Audit Logs or Deployment Manager), leading candidates to choose options that only provide visibility or templates rather than actual policy enforcement.

How to eliminate wrong answers

Option B is wrong because Cloud Audit Logs only provide visibility into VM creation events; they do not prevent non-compliant VMs from being created, so they cannot enforce the policy. Option C is wrong because VPC Service Controls are designed to protect data exfiltration and control access to Google Cloud APIs, not to enforce VM-level security features like Shielded VM. Option D is wrong because custom IAM roles cannot restrict specific VM configuration parameters (e.g., Shielded VM settings); IAM controls who can create VMs, not how they are configured.

Option E is wrong because Deployment Manager templates can include Shielded VM settings, but they are not enforceable at the organization level—users can still create VMs outside of Deployment Manager without those settings.

42
MCQhard

A company has Compute Engine instances that need to access the internet for updates but should not be reachable from the internet. They also need to access Google APIs and services like Cloud Storage. Which configuration meets these requirements?

A.Use Cloud NAT for outbound internet and enable Private Google Access on the subnet.
B.Assign external IPs to all instances and configure firewall rules to block inbound traffic.
C.Configure a VPN tunnel to an on-premises proxy server for internet access.
D.Use Cloud NAT for outbound internet and use external IPs for Google API access.
AnswerA

Cloud NAT allows outbound internet without external IPs; Private Google Access allows access to Google APIs via internal IPs.

Why this answer

Cloud NAT provides outbound internet connectivity for instances without external IPs, while Private Google Access allows those same instances to reach Google APIs and services (like Cloud Storage) using internal IPs via the subnet's default route. This combination ensures instances can initiate outbound connections to the internet and Google services but remain unreachable from the internet, meeting both security and functional requirements.

Exam trap

The trap here is that candidates often think Cloud NAT alone is sufficient for Google API access, but they miss that Private Google Access must be explicitly enabled on the subnet for instances without external IPs to reach Google APIs and services.

How to eliminate wrong answers

Option B is wrong because assigning external IPs makes instances directly reachable from the internet, even with firewall rules blocking inbound traffic; the external IP itself exposes the instance to potential attacks (e.g., DDoS) and violates the requirement that instances should not be reachable from the internet. Option C is wrong because a VPN tunnel to an on-premises proxy server adds unnecessary complexity, latency, and dependency on on-premises infrastructure; it does not directly address the need for Google API access, which is better served by Private Google Access. Option D is wrong because using external IPs for Google API access defeats the purpose of Cloud NAT; instances with external IPs are still reachable from the internet (even if only for API calls), and the requirement explicitly states instances should not be reachable from the internet.

43
MCQmedium

A Cloud Run service frequently fails with 502 errors when making requests to a backend service running on Compute Engine. The two services are in the same VPC network. The Cloud Run service is configured with a VPC connector. What is the most likely cause?

A.The Cloud Run service needs to be peered with the VPC using VPC Network Peering.
B.The VPC connector is set to a low number of instances, causing traffic throttling.
C.The VPC connector is not attached to the correct subnet, or the firewall rules are blocking traffic from the connector's IP range.
D.The Cloud Run service's service account lacks the roles/compute.instanceAdmin role.
AnswerC

The VPC connector's subnet must have routes to the backend, and firewall rules must allow ingress from the connector's IP range.

Why this answer

Option C is correct because Cloud Run uses a VPC connector to send requests to resources in a VPC. If the connector is attached to the wrong subnet, its egress traffic may not reach the Compute Engine instance, or firewall rules may block traffic from the connector's IP range (e.g., 10.8.0.0/28). This results in 502 errors from the backend, as the Cloud Run service cannot establish a TCP connection to the Compute Engine instance.

Exam trap

The trap here is that candidates confuse VPC Network Peering (used for inter-VPC connectivity) with the VPC connector (used for serverless-to-VPC access), and they overlook the firewall rules that must explicitly allow traffic from the connector's IP range.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering is used to connect two separate VPC networks, not to connect a serverless service to its own VPC; Cloud Run uses a VPC connector, not peering. Option B is wrong because a low number of VPC connector instances causes throttling or increased latency, not 502 errors; 502 errors indicate a failure to reach or get a valid response from the backend, not a capacity issue. Option D is wrong because the roles/compute.instanceAdmin role grants permissions to manage Compute Engine instances, but Cloud Run does not need that role to make HTTP requests to a backend; it only needs network connectivity via the VPC connector.

44
MCQeasy

A company wants to deploy a standard VM image with pre-installed software across multiple projects. Which Google Cloud solution should they use to automate this process?

A.Cloud Build
B.Compute Engine
C.Cloud Deployment Manager
D.Cloud Shell
E.Artifact Registry
AnswerC

Correct. Deployment Manager automates resource deployment via templates.

Why this answer

Cloud Deployment Manager (option C) is the correct choice because it allows you to define a declarative template (in YAML, Jinja, or Python) that specifies the VM instance configuration, including the boot disk image with pre-installed software, and then deploy that template consistently across multiple projects. This automates the entire provisioning process, ensuring each VM is identical and reducing manual effort.

Exam trap

The trap here is that candidates often confuse Cloud Build (a CI/CD tool) with infrastructure deployment, or think Compute Engine itself can automate multi-project deployments, but neither provides the declarative, repeatable provisioning that Deployment Manager offers.

How to eliminate wrong answers

Option A (Cloud Build) is wrong because it is a CI/CD service for building, testing, and deploying software artifacts, not for provisioning infrastructure like VMs across projects. Option B (Compute Engine) is wrong because it is the IaaS service that provides the VM instances themselves, not an automation tool for deploying them. Option D (Cloud Shell) is wrong because it is a browser-based command-line environment for managing Google Cloud resources, not a deployment automation service.

Option E (Artifact Registry) is wrong because it is a service for storing and managing container images and packages, not for deploying VM instances.

45
MCQhard

A company uses Shared VPC. A project admin in a service project tries to create a subnet in the shared VPC network but receives a permission denied error. What is the most likely cause?

A.Only the Shared VPC host project admin can create subnets.
B.The service project admin lacks the compute.subnetworks.create permission on the host project.
C.The Shared VPC is not enabled for the service project.
D.Subnets must be created in the service project, not the host project.
AnswerB

Permission must be granted on the host project for subnet creation.

Why this answer

In a Shared VPC architecture, subnet creation is a privileged operation that can only be performed by a user with the compute.subnetworks.create permission on the host project. The service project admin, by default, does not have this permission in the host project, which is why the permission denied error occurs. Granting this permission to the service project admin at the host project level would resolve the issue.

Exam trap

Google Cloud often tests the misconception that service project admins have full control over the shared network, when in reality they only have usage permissions unless explicitly granted administrative permissions on the host project.

How to eliminate wrong answers

Option A is wrong because it is not strictly 'only the host project admin' who can create subnets; any user with the compute.subnetworks.create permission on the host project can do so, including a service project admin if that permission is explicitly granted. Option C is wrong because the Shared VPC being enabled for the service project is a prerequisite for using the shared network, but the error here is about permissions, not about the feature being disabled. Option D is wrong because subnets in a Shared VPC must be created in the host project, not the service project; the service project consumes subnets from the host project.

46
Matchingmedium

Match each GCP monitoring/logging tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Metrics, dashboards, alerts

Centralized log storage and analysis

Distributed tracing for latency analysis

Inspect code behavior in production

CPU and memory profiling

Why these pairings

These are operations tools in GCP.

47
MCQhard

An organization needs to audit all changes to network firewall rules in a GCP project. Which service should be used to capture these changes?

A.Cloud Logging
B.Cloud Monitoring
C.Cloud Audit Logs
D.VPC Flow Logs
AnswerC

Audit logs capture all admin activity, including firewall rule changes.

Why this answer

Cloud Audit Logs (specifically Admin Activity audit logs) record all API calls that modify the configuration or metadata of resources, including changes to firewall rules. When a firewall rule is created, updated, or deleted, an audit log entry is automatically generated with details such as the user, timestamp, and the change made. This makes Cloud Audit Logs the correct service for auditing changes to network firewall rules in a GCP project.

Exam trap

The trap here is that candidates confuse Cloud Logging (which is a general log storage and analysis platform) with Cloud Audit Logs (which is a specific type of log that records administrative actions), leading them to pick A instead of C.

How to eliminate wrong answers

Option A is wrong because Cloud Logging is a service for ingesting, storing, and analyzing log data from various sources, but it does not natively capture configuration changes to firewall rules; it would require custom log sinks or agents to collect such data. Option B is wrong because Cloud Monitoring focuses on metrics, uptime checks, and alerting based on performance and health indicators, not on recording API-driven configuration changes. Option D is wrong because VPC Flow Logs capture network traffic metadata (e.g., source/destination IPs, ports, protocols) for flow-level analysis, not the administrative changes to firewall rule definitions.

48
MCQmedium

What does the condition in this IAM policy do?

A.It denies Alice access to all buckets.
B.It allows Alice to view objects only in bucket-x.
C.It allows Alice to view objects in any bucket.
D.It allows Alice to list all buckets in the project.
E.It allows Alice to view and delete objects in bucket-x.
AnswerB

Correct. The condition limits the grant to resources under bucket-x.

Why this answer

The condition in the IAM policy restricts the `s3:GetObject` action to the `arn:aws:s3:::bucket-x/*` resource, which means Alice can only view (read) objects within that specific bucket. The `s3:ListBucket` action is also allowed on `bucket-x`, enabling her to list its contents. No other actions or buckets are permitted, making option B correct.

Exam trap

Google Cloud often tests the distinction between bucket-level actions (like `s3:ListBucket`) and object-level actions (like `s3:GetObject`), and the trap here is that candidates assume 'view objects' includes listing all buckets or deleting objects, when the policy only grants specific read permissions on a single bucket.

How to eliminate wrong answers

Option A is wrong because the policy explicitly allows access to bucket-x, not denies all buckets. Option C is wrong because the resource ARN is limited to bucket-x, not any bucket. Option D is wrong because the `s3:ListAllMyBuckets` action is not included in the policy, so Alice cannot list all buckets in the project.

Option E is wrong because the policy only grants `s3:GetObject` (view) and `s3:ListBucket` (list), not `s3:DeleteObject` (delete).

49
Multi-Selecteasy

Which TWO features help reduce costs for batch processing workloads on Compute Engine?

Select 2 answers
A.Preemptible VMs
B.Sustained use discounts
C.GPU accelerators
D.Sole-tenant nodes
E.Committed use discounts
AnswersA, B

Preemptible VMs are up to 80% cheaper and suitable for batch jobs.

Why this answer

Preemptible VMs are short-lived, low-cost instances that can be terminated at any time by Compute Engine, making them ideal for batch processing workloads that are fault-tolerant and can handle interruptions. They offer up to 80% cost savings compared to standard VMs, directly reducing costs for batch jobs that can checkpoint and resume.

Exam trap

The trap here is that candidates often confuse committed use discounts with sustained use discounts, but committed use discounts require a contractual commitment and are not suitable for batch workloads that may not run continuously, while sustained use discounts are automatic and better suited for long-running batch jobs.

50
MCQeasy

A company has two VPC networks in the same project: vpc-a (us-central1) and vpc-b (us-east1). They want to allow communication between instances in these VPCs using internal IPs. Which action should they take?

A.Move both VPCs to the same region.
B.Set up VPC Network Peering between vpc-a and vpc-b.
C.Create a VPN tunnel between the VPCs.
D.Ensure firewall rules allow ingress from the other VPC's subnet ranges.
AnswerB

VPC peering enables internal IP communication across VPCs without any gateway.

Why this answer

VPC Network Peering allows direct internal IP communication between two VPC networks, regardless of region, as long as they are in the same project or across projects. This is the simplest and most efficient method for enabling private RFC 1918 connectivity without requiring VPN tunnels or moving resources. Peering uses Google's internal infrastructure, so traffic stays within the Google network and does not traverse the public internet.

Exam trap

Google Cloud often tests the misconception that VPCs must be in the same region to use internal IPs, or that a VPN tunnel is required for cross-region connectivity, when in fact VPC Network Peering works across regions within the same project or across projects.

How to eliminate wrong answers

Option A is wrong because VPCs can be in different regions and still communicate via internal IPs using VPC Network Peering; moving both to the same region is unnecessary and would disrupt existing resources. Option C is wrong because a VPN tunnel is an over-engineered solution for VPCs within the same project—VPC Network Peering is simpler, has lower latency, and does not require a Cloud VPN gateway or tunnel configuration. Option D is wrong because while firewall rules are necessary to allow traffic, they are not sufficient on their own; the VPCs must first be connected via VPC Network Peering (or another connectivity method) for the firewall rules to have any effect.

51
MCQmedium

A company is deploying a new application on Compute Engine. They need to ensure that the application can automatically recover from a zone failure. What is the best approach?

A.Create a managed instance group with instances in multiple zones.
B.Use a global load balancer in front of a single instance.
C.Create a single VM in a single zone and rely on live migration.
D.Use Cloud Storage to store application state and restore from a snapshot.
AnswerA

MIG auto-heals and distributes across zones.

Why this answer

A managed instance group (MIG) with instances in multiple zones provides automatic recovery from a zone failure by distributing instances across zones and using auto-healing to recreate failed instances. If one zone becomes unavailable, the load balancer routes traffic to healthy instances in other zones, ensuring high availability without manual intervention.

Exam trap

Google Cloud often tests the distinction between live migration (which handles host maintenance but not zone failures) and multi-zone MIGs (which handle zone failures), leading candidates to mistakenly choose live migration as a recovery mechanism.

How to eliminate wrong answers

Option B is wrong because a global load balancer in front of a single instance does not provide zone-level redundancy; if the zone fails, the single instance becomes unavailable, and the load balancer has no healthy backend to route traffic to. Option C is wrong because live migration only protects against host maintenance events, not zone failures; if the entire zone fails, the VM is lost and cannot be recovered automatically. Option D is wrong because storing application state in Cloud Storage and restoring from a snapshot is a disaster recovery approach, not an automatic recovery mechanism; it requires manual steps to recreate the VM and does not provide seamless failover.

52
Multi-Selecthard

Which THREE are best practices for designing a highly available application on Compute Engine?

Select 3 answers
A.Use local SSDs for stateful data
B.Use a single large machine type
C.Use managed instance groups with autoscaling
D.Use an external load balancer with health checks
E.Distribute instances across multiple zones
AnswersC, D, E

Managed instance groups automatically handle scaling and healing.

Why this answer

Managed instance groups (MIGs) with autoscaling are a best practice for high availability because they automatically maintain a target number of healthy instances across zones, replacing failed instances and scaling based on load. This ensures the application can withstand instance failures and traffic spikes without manual intervention, directly supporting high availability.

Exam trap

Google Cloud often tests the misconception that local SSDs are suitable for stateful data in HA designs, but the trap is that local SSDs are ephemeral and data is lost on instance failure, so they should only be used for cache or temporary data, not for persistent state.

53
Multi-Selectmedium

Which TWO statements are true about Google Cloud VPC networks? (Select exactly 2.)

Select 2 answers
A.Each VPC network is regional in scope.
B.By default, no firewall rules are created in a new VPC.
C.Subnets are regional resources and can span zones.
D.VPC Peering allows private RFC 1918 connectivity across VPCs.
E.VPC Peering supports transitive routing.
AnswersC, D

Subnets are regional and each subnet can have IP ranges across zones.

Why this answer

Option C is correct because Google Cloud VPC subnets are regional resources that can span multiple zones within the same region. This allows resources in different zones to use the same subnet without requiring additional routing or VPN configuration, providing high availability and fault tolerance within a region.

Exam trap

The trap here is that candidates often confuse VPC scope with subnet scope, assuming VPCs are regional like in AWS, but Google Cloud VPCs are global, and they may also mistakenly believe VPC Peering supports transitive routing, which it explicitly does not.

54
MCQhard

Refer to the exhibit. Which statement is true about this Deployment Manager template?

A.The VM will be created in the us-central1-b zone.
B.The VM will use a custom machine type.
C.The VM will have a public IP address.
D.The boot disk will not be deleted when the VM is deleted.
AnswerC

The ONE_TO_ONE_NAT access config assigns an ephemeral external IP.

Why this answer

Option C is correct because the Deployment Manager template in the exhibit includes the property `autoDelete: true` for the accessConfigs block, which configures a one-to-one NAT on the network interface. This automatically assigns an ephemeral external IP address to the VM, giving it a public IP address. The presence of `type: ONE_TO_ONE_NAT` under `accessConfigs` is the key indicator that a public IP is provisioned.

Exam trap

Google Cloud often tests the distinction between predefined and custom machine types, and candidates may mistakenly think any machine type specified with a full path is custom, but the key is the name pattern (e.g., `n1-standard-*` vs. `custom-*`).

How to eliminate wrong answers

Option A is wrong because the template specifies `zone: us-central1-a`, not us-central1-b. Option B is wrong because the template defines `machineType: zones/us-central1-a/machineTypes/n1-standard-1`, which is a predefined standard machine type (1 vCPU, 3.75 GB memory), not a custom type. Option D is wrong because the `disks` block includes `autoDelete: true`, which means the boot disk will be automatically deleted when the VM is deleted, contrary to the statement.

55
MCQmedium

A startup is deploying a microservices application on Google Kubernetes Engine (GKE) with a regional cluster. They have services that need to communicate with each other and also with external APIs. The cluster uses VPC-native routing. They have enabled Cloud NAT to allow outbound internet access for nodes without external IPs. However, the development team reports that some pods cannot reach the external APIs, while others can. All pods are in the same namespace and are not using any network policies. The pods that fail have the annotation 'cloud.google.com/gke-nat-ips' set to a list of static IP addresses. The pods that work do not have this annotation. What is the most likely cause of the failure?

A.Network policies are blocking outbound traffic for those pods.
B.The VPC-native routing is misconfigured for the pods with the annotation.
C.The annotation is used to assign static IPs for inbound traffic only.
D.The annotation 'cloud.google.com/gke-nat-ips' is not compatible with Cloud NAT for outbound traffic.
AnswerD

The annotation is used for specific use cases, not with Cloud NAT.

Why this answer

The annotation 'cloud.google.com/gke-nat-ips' is used to assign specific static IP addresses for outbound traffic from pods, but it is only compatible with the GKE Native Networking (formerly VPC-native) and the Cloud NAT gateway when the pods use the default NAT configuration. When this annotation is set, Cloud NAT is bypassed for those pods, and the traffic is sent directly from the specified static IPs, which may not be properly routed or may be blocked by the external API's firewall rules. In contrast, pods without the annotation use Cloud NAT's dynamic IPs, which are correctly routed and allowed.

Exam trap

The trap here is that candidates often assume the annotation is for inbound traffic or that it works seamlessly with Cloud NAT, but in reality, it overrides Cloud NAT for outbound traffic and requires careful IP management and firewall configuration.

How to eliminate wrong answers

Option A is wrong because the question explicitly states that no network policies are in use, so there is no policy blocking outbound traffic. Option B is wrong because VPC-native routing is correctly configured for the cluster and works for pods without the annotation; the issue is specific to the annotation's interaction with Cloud NAT, not a misconfiguration of VPC-native routing itself. Option C is wrong because the annotation 'cloud.google.com/gke-nat-ips' is specifically designed to assign static IPs for outbound traffic from pods, not inbound traffic; inbound traffic uses load balancers or ingress resources.

56
Multi-Selecthard

A company is designing a hybrid network architecture connecting an on-premises data center to Google Cloud. They need high availability (99.99% SLA) and bandwidth up to 10 Gbps. They also need to use their existing MPLS circuits. Which THREE components should they include in the design? (Choose three.)

Select 3 answers
A.Two VLAN attachments to two different edge availability domains.
B.BGP sessions from each on-premises router to each Cloud Router.
C.Cloud CDN to cache content and reduce latency.
D.Dedicated Interconnect connections with at least two redundant links.
E.Cloud VPN tunnels with multiple gateways for failover.
AnswersA, B, D

Using multiple VLAN attachments across different edge availability domains provides redundancy and high availability, meeting the 99.99% SLA.

Why this answer

Option A is correct because VLAN attachments in Google Cloud are associated with edge availability domains (EADs), which represent physically independent failure domains within a zone. By attaching two VLAN attachments to two different EADs, the design ensures that a failure in one EAD does not affect the other, supporting the 99.99% SLA requirement. This is a key component of a highly available Dedicated Interconnect or Partner Interconnect setup.

Exam trap

The trap here is that candidates often confuse Cloud CDN or Cloud VPN as viable options for high-bandwidth, high-availability hybrid connectivity, but they fail to meet the 10 Gbps throughput and 99.99% SLA requirements, which only Dedicated Interconnect with redundant links and proper BGP configuration can satisfy.

57
Multi-Selectmedium

Which TWO are best practices when designing a VPC network for a multi-tier application in Google Cloud?

Select 2 answers
A.Disable VPC Flow Logs to reduce cost.
B.Create separate subnets for each application tier.
C.Use firewall rules to restrict traffic between tiers to only necessary ports.
D.Use a single subnet for all tiers to simplify IP management.
E.Rely on the default priority of firewall rules to ensure proper ordering.
AnswersB, C

Subnets allow segmentation and granular firewall rules.

Why this answer

Option B is correct because creating separate subnets for each application tier (e.g., web, application, database) allows you to apply granular firewall rules and routing policies per tier. This segmentation improves security by isolating traffic between tiers and aligns with Google Cloud's best practices for multi-tier architectures. It also simplifies network troubleshooting and scaling by keeping each tier's IP space distinct.

Exam trap

The trap here is that candidates assume a single subnet simplifies management (Option D) or that disabling flow logs is a harmless cost-saving measure (Option A), but the exam expects you to prioritize security and observability over minor cost savings or administrative convenience.

58
MCQmedium

A developer notices that web-server-1 is preemptible. They want to ensure their application remains available even if this instance is terminated. What should they do?

A.Modify the instance's preemptible flag to false.
B.Create a managed instance group for web-server-1 and set an autoscaler.
C.Create a load balancer pointing to web-server-1's external IP.
D.Create a snapshot schedule for web-server-1.
AnswerB

Managed instance groups automatically recreate instances, including preemptible ones, if they are terminated.

Why this answer

A managed instance group (MIG) with an autoscaler ensures that if the preemptible instance is terminated, the MIG automatically recreates it to maintain the desired number of instances. This provides resilience against preemption by restoring capacity without manual intervention. The load balancer can then distribute traffic across healthy instances in the group.

Exam trap

Google Cloud often tests the misconception that a load balancer alone provides high availability, but without a managed instance group to recreate terminated instances, the load balancer has no healthy backends to route traffic to.

How to eliminate wrong answers

Option A is wrong because modifying the preemptible flag to false would make the instance a standard (non-preemptible) instance, but this does not address availability during termination—it only prevents future preemption, and the instance could still fail for other reasons. Option C is wrong because a load balancer pointing to a single instance's external IP does not provide high availability; if the instance is terminated, the load balancer has no healthy backend and traffic is lost. Option D is wrong because a snapshot schedule only backs up persistent disks, it does not recreate the instance or maintain application availability after termination.

59
Multi-Selectmedium

Which TWO options are valid ways to connect an on-premises network to a VPC in Google Cloud? (Choose two.)

Select 2 answers
A.Cloud VPN.
B.Dedicated Interconnect.
C.Cloud NAT.
D.VPC Network Peering.
E.Private Google Access.
AnswersA, B

Cloud VPN provides IPsec tunnels to on-premises.

Why this answer

Cloud VPN is a valid way to connect an on-premises network to a VPC in Google Cloud. It uses IPsec (IKEv1 or IKEv2) to create an encrypted tunnel over the public internet between your on-premises VPN gateway and a Cloud VPN gateway in your VPC. This allows secure communication between your on-premises resources and your VPC subnets, making it a standard hybrid connectivity option.

Exam trap

Google Cloud often tests the distinction between services that provide connectivity to a VPC (like VPN and Interconnect) versus services that only enable outbound internet access or internal VPC-to-VPC peering, leading candidates to mistakenly select Cloud NAT or VPC Network Peering.

60
MCQmedium

Your company is using Cloud Storage to store sensitive customer data. The security team requires that all objects be encrypted with a customer-managed encryption key (CMEK) and that the key be automatically rotated every 90 days. You need to implement this without changing the application code. You have created a Cloud KMS key ring and a key with rotation period set to 90 days. What additional configuration is required?

A.Set a bucket lifecycle rule to transition objects to a different storage class.
B.Create a custom customer-supplied encryption key (CSEK) and provide it in each request.
C.Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account.
D.Set the default encryption key of the Cloud Storage bucket to the Cloud KMS key.
AnswerD

Setting the default encryption key on the bucket ensures all new objects are automatically encrypted with the CMEK without code changes. Cloud KMS handles automatic rotation.

Why this answer

Option D is correct because setting the default encryption key of the Cloud Storage bucket to the Cloud KMS key ensures that all objects written to the bucket are automatically encrypted with that CMEK, without requiring any application code changes. The Cloud KMS key's rotation period of 90 days is already configured, so the key will be rotated automatically, meeting the security team's requirement.

Exam trap

The trap here is that candidates may think granting the Cloud KMS role to the Cloud Storage service account (Option C) is sufficient, but they overlook the critical step of actually setting the key as the default encryption key on the bucket to enforce automatic encryption.

How to eliminate wrong answers

Option A is wrong because bucket lifecycle rules manage object transitions between storage classes or deletion, not encryption key configuration or rotation. Option B is wrong because CSEK requires providing the key in each request, which would necessitate changing application code, and CSEK keys cannot be automatically rotated by Cloud KMS. Option C is wrong because granting the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account is necessary for the service account to use the key, but it is not the additional configuration required to enforce encryption on the bucket; the key must also be set as the default encryption key on the bucket.

61
MCQeasy

A company runs a batch processing job that runs daily and can handle interruptions. The job runs on a single Compute Engine instance. Which machine configuration is the most cost-effective?

A.A n2-standard-4 VM with sustained use discount
B.A standard n1-standard-4 VM
C.A preemptible n1-standard-4 VM
D.A n1-standard-4 VM with a GPU
AnswerC

Preemptible VMs are much cheaper and suitable for fault-tolerant batch jobs.

Why this answer

Option C is correct because a preemptible VM costs significantly less than a standard VM (up to 80% discount) and is ideal for batch processing jobs that can handle interruptions. The job runs daily and can tolerate being stopped, so the lower cost of a preemptible instance provides the most cost-effective solution without sacrificing functionality.

Exam trap

Google Cloud often tests the misconception that sustained use discounts are the most cost-effective option, but the trap here is that preemptible VMs provide a much deeper discount for fault-tolerant workloads, and candidates may overlook the 'can handle interruptions' requirement in the question.

How to eliminate wrong answers

Option A is wrong because a n2-standard-4 VM with sustained use discount is more expensive than a preemptible VM; sustained use discounts apply automatically for running instances over a month, but they do not match the deep discount of preemptible instances, and the n2 series is a newer, higher-performance generation that is unnecessary for a batch job that can handle interruptions. Option B is wrong because a standard n1-standard-4 VM incurs full on-demand pricing, which is not cost-effective for a fault-tolerant batch job that can use cheaper preemptible instances. Option D is wrong because adding a GPU to an n1-standard-4 VM increases cost significantly and provides no benefit for a batch processing job that does not require GPU acceleration, making it the least cost-effective option.

62
Multi-Selecteasy

Which TWO of the following are valid ways to deploy a Cloud Function? (Choose two.)

Select 2 answers
A.gcloud functions deploy
B.Cloud Source Repositories
C.Cloud Run
D.Cloud Scheduler
E.Cloud Build triggers
AnswersA, E

Correct. gcloud is a primary method.

Why this answer

Option A is correct because `gcloud functions deploy` is the primary command-line interface (CLI) method to deploy a Cloud Function directly from a local source or a specified source location. Option E is correct because Cloud Build triggers can be configured to automatically deploy a Cloud Function whenever a change is pushed to a repository (e.g., Cloud Source Repositories, GitHub), enabling continuous deployment.

Exam trap

Google Cloud often tests the distinction between services that *trigger* or *store* code versus services that *deploy* code; the trap here is confusing Cloud Source Repositories (a source code host) or Cloud Scheduler (a job scheduler) with actual deployment methods, leading candidates to select them as valid deployment options.

63
MCQhard

A company is migrating a monolithic application to microservices on Google Cloud. They need to manage service-to-service authentication and authorization. Which service should they use?

A.Cloud NAT
B.Cloud Identity-Aware Proxy
C.Cloud Endpoints
D.Service Mesh (Anthos)
AnswerD

Anthos Service Mesh provides mTLS, authorization policies, and observability for microservices.

Why this answer

Service Mesh (Anthos) provides a dedicated infrastructure layer for managing service-to-service communication, including mutual TLS (mTLS) authentication, fine-grained authorization policies, and observability. It uses sidecar proxies (Envoy) to intercept traffic and enforce security policies without modifying application code, making it ideal for microservices authentication and authorization.

Exam trap

The trap here is that candidates often confuse Cloud Endpoints (API management for external clients) with the internal service-to-service security needs of microservices, or assume Cloud IAP can be extended to internal traffic, but IAP only works for user-facing HTTP(S) requests and cannot enforce policies between backend services.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is a network address translation service for outbound internet access from private instances, not for service-to-service authentication or authorization. Option B is wrong because Cloud Identity-Aware Proxy (IAP) is designed for user-to-application authentication and access control at the edge, not for internal service-to-service communication within a VPC. Option C is wrong because Cloud Endpoints is an API management service that handles API keys, authentication, and quotas for external-facing APIs, but it does not provide the sidecar-based, fine-grained service-to-service authentication and authorization needed for microservices.

64
MCQeasy

When creating a Compute Engine instance from a custom image stored in another project, which gcloud flag is required?

A.--image-project
B.--source-instance
C.--image
D.--image-family
AnswerC

Specifies the image name, which is always required.

Why this answer

Option C is correct because the `--image` flag is required when creating a Compute Engine instance from a custom image, regardless of whether the image is in the same project or a different project. This flag specifies the name of the custom image to use as the boot disk source. Without it, gcloud would default to a public image or fail to create the instance.

Exam trap

The trap here is that candidates often think `--image-project` is required when using a custom image from another project, but it is only needed for public images or when the image is in a different project — the `--image` flag itself is always required, and `--image-project` is optional if the image is in the same project.

How to eliminate wrong answers

Option A is wrong because `--image-project` is not required when using a custom image from another project; it is only needed when specifying a public image from a different project (e.g., `--image-project debian-cloud`). Option B is wrong because `--source-instance` is used to create an image from an existing instance, not to specify an image when creating a new instance. Option D is wrong because `--image-family` is used to select the latest non-deprecated image from a family (e.g., `ubuntu-2204-lts`), not to reference a specific custom image by name.

65
MCQmedium

A DevOps engineer notices that a GKE cluster has nodes that are frequently preempted. They want to reduce costs but maintain resilience. What should they do?

A.Use node auto-repair
B.Use preemptible VMs for all nodes
C.Use committed use discounts
D.Use a regional cluster with multiple zones
AnswerD

Regional clusters distribute nodes across zones, improving resilience to zone-level preemption.

Why this answer

A regional cluster with multiple zones distributes workloads across zones, so if nodes in one zone are preempted, the cluster remains resilient by using nodes in other zones. This reduces costs by allowing the use of preemptible VMs (which are cheaper) while maintaining high availability, as the cluster can tolerate zone-level failures. The key is that regional clusters provide a managed control plane and node distribution across zones, which is essential for resilience against preemption.

Exam trap

The trap here is that candidates may think preemptible VMs are inherently unreliable and thus avoid them entirely, or they may confuse node auto-repair (which fixes health issues) with resilience against preemption, missing the key benefit of a regional architecture that distributes risk across zones.

How to eliminate wrong answers

Option A is wrong because node auto-repair only fixes unhealthy nodes (e.g., those with kernel issues) but does not prevent or mitigate the impact of preemption, which is a deliberate termination by GCP. Option B is wrong because using preemptible VMs for all nodes would cause the entire cluster to fail if all nodes are preempted simultaneously, offering no resilience; preemptible VMs can be terminated at any time within 24 hours. Option C is wrong because committed use discounts require a 1- or 3-year commitment and do not address the resilience issue; they reduce costs for sustained usage but do not protect against preemption.

66
MCQhard

A company runs a stateful application on Google Kubernetes Engine (GKE) that requires persistent storage and low-latency access across multiple zones. The application needs to perform well even during zonal failures. Which storage solution should they use?

A.Zonal persistent disk with snapshots to another zone
B.Local SSDs attached to nodes
C.Cloud Filestore
D.Regional persistent disk
AnswerD

Regional PD replicates across zones and provides high availability.

Why this answer

Regional persistent disks (RPDs) synchronously replicate data across two zones in the same region, providing both the persistent storage and low-latency access required by the stateful application. This ensures that if one zone fails, the disk can be attached to a pod in the surviving zone without data loss or significant performance degradation, meeting the high-availability and multi-zone access requirements.

Exam trap

The trap here is that candidates confuse high-availability features like snapshots or local SSDs with true synchronous replication, overlooking that only regional persistent disks provide both persistence and zero-RPO failover across zones without manual restore steps.

How to eliminate wrong answers

Option A is wrong because zonal persistent disks with snapshots to another zone introduce recovery time (snapshot restore) and potential data loss (snapshot frequency), failing to provide the synchronous, low-latency multi-zone access needed during zonal failures. Option B is wrong because local SSDs are ephemeral and tied to a specific node; data is lost if the node or zone fails, and they cannot be shared across zones, violating the persistent storage requirement. Option C is wrong because Cloud Filestore is a managed NFS file storage service designed for shared file systems, not for low-latency block storage access required by stateful applications on GKE, and it introduces network latency compared to directly attached persistent disks.

67
MCQeasy

A company wants to provision multiple similar environments (dev, test, prod) with consistent networking configurations. Which approach is a best practice for infrastructure as code?

A.Use Ansible playbooks to run ad-hoc commands.
B.Use a single Terraform configuration with workspaces.
C.Run separate gcloud commands for each environment.
D.Use Cloud Deployment Manager templates with environment-specific parameters.
AnswerB

Workspaces allow reusable configuration across environments.

Why this answer

Terraform workspaces allow you to manage multiple distinct environments (e.g., dev, test, prod) from a single configuration by maintaining separate state files. This ensures consistent networking configurations across environments while avoiding duplication of code, which is a core best practice for infrastructure as code.

Exam trap

Google Cloud often tests the misconception that environment-specific parameters in Deployment Manager templates are equivalent to Terraform workspaces, but the trap is that Terraform's workspace feature provides native state isolation and multi-cloud portability, whereas Deployment Manager is GCP-specific and lacks the same level of abstraction for consistent multi-environment management.

How to eliminate wrong answers

Option A is wrong because Ansible playbooks are primarily for configuration management and ad-hoc command execution, not for declaratively provisioning cloud infrastructure with state management and drift detection. Option C is wrong because running separate gcloud commands for each environment is imperative, error-prone, and lacks version control and repeatability, violating IaC principles. Option D is wrong because Cloud Deployment Manager templates with environment-specific parameters can work but are less portable and flexible than Terraform workspaces, and Terraform is the more widely adopted multi-cloud IaC tool for consistent provisioning.

68
Multi-Selecteasy

Which TWO IAM predefined roles grant read-only access to Cloud Storage objects but not the ability to list buckets?

Select 2 answers
A.roles/storage.legacyBucketReader
B.roles/storage.objectViewer
C.roles/storage.objectAdmin
D.roles/storage.viewer
E.roles/storage.admin
AnswersA, B

Allows reading objects if you know the bucket, but does not grant storage.buckets.list.

Why this answer

Option A, roles/storage.legacyBucketReader, is correct because it grants read access to Cloud Storage objects (via the storage.objects.get permission) but does not include the storage.buckets.list permission, so users cannot list buckets. Option B, roles/storage.objectViewer, is correct because it provides read-only access to objects (storage.objects.get and storage.objects.list) without the ability to list buckets, as it lacks storage.buckets.list.

Exam trap

The trap here is that candidates often confuse roles/storage.viewer (which includes bucket listing) with roles/storage.objectViewer (which does not), or assume that any 'viewer' role excludes bucket listing, but the storage.viewer role actually includes storage.buckets.list, making it incorrect for this specific requirement.

69
MCQhard

An organization requires that all Compute Engine instances in a project must have a specific tag for firewall rule compliance. How can they enforce this?

A.Use IAM roles to restrict instance creation
B.Use a startup script to add the tag
C.Use a mandatory tag via organization policy
D.Use Cloud Asset Inventory
AnswerC

Organization policies can enforce constraints like `compute.requireTags`.

Why this answer

Option C is correct because Organization Policies in Google Cloud can enforce constraints that require resources, including Compute Engine instances, to have specific labels or tags. The `compute.requireOsLogin` or custom constraint `compute.requireInstanceTag` can be used to mandate that all instances must have a particular tag, and any instance creation that violates this policy will be denied at the API level, ensuring compliance without relying on user behavior.

Exam trap

The trap here is that candidates often confuse IAM roles with Organization Policies, thinking that restricting creation permissions (Option A) is sufficient, but IAM cannot enforce resource-level attributes like tags, which is a common misconception in policy-based governance questions.

How to eliminate wrong answers

Option A is wrong because IAM roles control who can create instances, not what tags are applied to the instances; they cannot enforce a specific tag value. Option B is wrong because a startup script runs after the instance is created, so it cannot prevent the creation of an instance without the required tag, and the instance would already exist in violation of the firewall rule compliance. Option D is wrong because Cloud Asset Inventory is a service for discovering and monitoring cloud resources, not for enforcing policies or preventing non-compliant resource creation.

70
Multi-Selectmedium

Which TWO actions are required to allow a private GKE cluster to pull container images from Artifact Registry in the same project?

Select 2 answers
A.Create a firewall rule allowing outbound traffic to Artifact Registry IP ranges.
B.Set up VPC Network Peering with the Artifact Registry service.
C.Configure Cloud NAT for the GKE cluster.
D.Enable Private Google Access on the subnet where the GKE nodes are deployed.
E.Grant the Artifact Registry Reader role to the GKE service account.
AnswersD, E

Private Google Access allows nodes without external IPs to reach Google APIs.

Why this answer

Option D is correct because Private Google Access enables GKE nodes with only internal IP addresses to reach Google APIs and services, including Artifact Registry, over Google's private network rather than the public internet. Option E is correct because the GKE node's service account must have the Artifact Registry Reader role (roles/artifactregistry.reader) to authenticate and pull container images from the registry.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for private clusters to access Google APIs, but Private Google Access is the correct mechanism for reaching Google-managed services like Artifact Registry without public IPs.

71
MCQhard

An organization has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They launched a Compute Engine instance in subnet-a with an internal IP 10.0.1.2 and a public IP. They want the instance to only allow HTTPS traffic from the internet. Which firewall rule should they create?

A.Ingress rule: allow tcp:0-65535, source 0.0.0.0/0, target tag 'https-server'
B.Egress rule: allow tcp:443, destination 0.0.0.0/0, target tag 'https-server'
C.Ingress rule: allow tcp:443, source 10.0.0.0/16, target tag 'https-server'
D.Ingress rule: allow tcp:443, source 0.0.0.0/0, target tag 'https-server'
AnswerD

This rule correctly allows inbound HTTPS from any source to instances with the tag.

Why this answer

Option D is correct because the instance needs to accept incoming HTTPS traffic (TCP port 443) from the internet. An ingress firewall rule with source 0.0.0.0/0 allows traffic from any external IP, and applying it to instances with the target tag 'https-server' ensures only tagged instances are affected. This matches the requirement to allow only HTTPS from the internet.

Exam trap

The trap here is that candidates often confuse ingress vs. egress rules or mistakenly restrict the source to the VPC range (10.0.0.0/16) thinking it includes the internet, when in fact it only allows traffic from within the VPC.

How to eliminate wrong answers

Option A is wrong because it allows all TCP ports (0-65535) from the internet, which violates the requirement to allow only HTTPS traffic (port 443). Option B is wrong because it is an egress rule, which controls outbound traffic from the instance, not inbound HTTPS traffic from the internet. Option C is wrong because it restricts the source to the internal VPC range (10.0.0.0/16), which blocks all internet traffic and does not meet the requirement for allowing HTTPS from the internet.

72
MCQmedium

A company is deploying a web application on Compute Engine behind a global HTTP(S) load balancer. They want to restrict access to only traffic from specific IP ranges. Which load balancer feature should they use?

A.Cloud Armor security policies.
B.VPC firewall rules.
C.Identity-Aware Proxy (IAP).
D.Cloud CDN.
AnswerA

Cloud Armor can allow/deny traffic based on IP.

Why this answer

Cloud Armor security policies are the correct choice because they allow you to define IP-based allow/deny rules at the edge of Google's network, directly integrated with the global HTTP(S) load balancer. This provides granular access control based on source IP ranges before traffic reaches your backend instances, which is exactly what the requirement specifies.

Exam trap

The trap here is that candidates often confuse VPC firewall rules with Cloud Armor, assuming that firewall rules can filter on the original client IP behind a load balancer, but in reality, VPC firewall rules only see the load balancer's proxy IPs, making Cloud Armor the only viable option for IP-based access control at the edge.

How to eliminate wrong answers

Option B is wrong because VPC firewall rules operate at the instance level (network interface) and cannot filter traffic based on the original client IP when a global HTTP(S) load balancer is used, as the load balancer's health check and proxy IPs are seen instead. Option C is wrong because Identity-Aware Proxy (IAP) controls access based on user identity and context (e.g., Google accounts, OAuth), not on source IP ranges, and is designed for application-layer authentication, not network-layer IP filtering. Option D is wrong because Cloud CDN is a content delivery network that caches content at edge locations to improve latency and reduce load, and it does not provide any IP-based access control or security policy enforcement.

73
MCQeasy

A developer wants to store and retrieve non-relational data with flexible schema and automatic scaling. Which Google Cloud service should they use?

A.Cloud Bigtable.
B.Cloud SQL.
C.Firestore.
D.Cloud Spanner.
AnswerC

Firestore is NoSQL with flexible schema and auto-scaling.

Why this answer

Firestore is a NoSQL document database that supports flexible schema and automatic scaling, making it ideal for non-relational data. It offers real-time synchronization, offline support, and serverless scaling, which aligns with the requirement for storing and retrieving data without manual sharding or capacity planning.

Exam trap

Google Cloud often tests the distinction between NoSQL databases by presenting Cloud Bigtable as a trap for 'non-relational' requirements, but candidates overlook that Bigtable is optimized for analytical workloads with fixed column families, not for flexible schema and automatic scaling in transactional applications.

How to eliminate wrong answers

Option A is wrong because Cloud Bigtable is a wide-column NoSQL database designed for large analytical workloads (e.g., time-series, IoT) with high throughput, but it does not support flexible schema in the same way as Firestore (it requires predefined column families) and is not optimized for transactional, real-time client-side access. Option B is wrong because Cloud SQL is a fully managed relational database service (MySQL, PostgreSQL, SQL Server) that enforces a fixed schema and does not automatically scale beyond its instance limits without manual resizing or read replicas. Option D is wrong because Cloud Spanner is a globally distributed relational database that provides strong consistency and horizontal scaling, but it requires a predefined schema and SQL-based relational model, making it unsuitable for non-relational data with flexible schema.

74
MCQhard

A company runs a critical web application behind an external HTTPS load balancer. The backend consists of a managed instance group of Compute Engine instances. Users report intermittent 502 Bad Gateway errors. The load balancer logs show occasional health check failures for some instances. The instances have a custom health check endpoint that returns a 200 status code only if the application is fully healthy. The application logs do not show any errors, and CPU/memory usage on the instances is normal. What should be the first troubleshooting step to identify the root cause?

A.Change the health check to a TCP check on the application's port
B.Increase the health check check interval and decrease the unhealthy threshold
C.Increase the number of instances in the managed instance group
D.Check the application's logs on the instances to see why the health check endpoint sometimes returns non-200
AnswerD

This directly investigates the health check failure.

Why this answer

Option B is correct. The health check is failing, and since the instances show normal CPU/memory, the application might be slow to respond under certain conditions. Checking the application logs on the instances will reveal why the health check endpoint returns non-200.

Option A is wrong because increasing the interval doesn't fix the underlying issue. Option C is wrong because adding instances won't help if the health check is flaky. Option D is wrong because TCP health check would not validate application health and could mask the problem.

75
MCQmedium

A company deploys a web application on Compute Engine behind a Global HTTPS Load Balancer. They need to restrict access to the application based on the client's IP address. Which Google Cloud service should they use?

A.VPC firewall rules
B.Identity-Aware Proxy (IAP)
C.Cloud Armor
D.Cloud CDN
AnswerC

Cloud Armor provides IP-based access control and DDoS protection for load balancers.

Why this answer

Cloud Armor is the correct choice because it provides IP-based access control at the edge of Google's network, integrated directly with the Global HTTPS Load Balancer. It allows you to create security policies with IP allow/deny rules that are evaluated before traffic reaches your Compute Engine instances, making it the appropriate service for client IP restriction at the load balancer level.

Exam trap

The trap here is that candidates often confuse VPC firewall rules with edge security, not realizing that VPC firewall rules cannot see the original client IP when a Global Load Balancer is in front, making Cloud Armor the only option for IP-based access control at the load balancer level.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules operate at the instance network interface level, not at the load balancer edge, and they cannot inspect the original client IP address when traffic passes through a Global HTTPS Load Balancer (the source IP becomes the load balancer's IP). Option B is wrong because Identity-Aware Proxy (IAP) controls access based on user identity and context (e.g., OAuth2, device security), not on client IP addresses; it is designed for authentication and authorization, not network-layer IP filtering. Option D is wrong because Cloud CDN is a content delivery network service that caches content at edge locations to improve latency and reduce load; it does not provide IP-based access control or security policy enforcement.

Page 1 of 2 · 116 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage Provision Infra questions.