CCNA Manage Provision Infra Questions

41 of 116 questions · Page 2/2 · Manage Provision Infra topic · Answers revealed

76
MCQhard

An organization uses Cloud SQL for MySQL in a production environment. They need to ensure high availability with automatic failover in case of a zonal failure. Which configuration should they use?

A.Create a read replica in a different region.
B.Create a regional Cloud SQL instance with automatic failover.
C.Export the database daily and import into a new instance if failure occurs.
D.Deploy Cloud SQL across multiple regions using cross-region replication.
AnswerB

Regional instances provide a synchronous standby in another zone and automatic failover.

Why this answer

A regional Cloud SQL instance with automatic failover uses a primary and a standby zone within the same region, with synchronous replication between them. If the primary zone fails, Cloud SQL automatically promotes the standby to primary, ensuring high availability without data loss. This configuration meets the requirement for automatic failover during a zonal failure.

Exam trap

The trap here is that candidates confuse cross-region replication (available for other database engines) with the zonal high-availability feature for Cloud SQL for MySQL, or assume that a read replica can be used for automatic failover when it requires manual promotion.

How to eliminate wrong answers

Option A is wrong because a read replica in a different region provides read scalability and disaster recovery across regions, but it does not support automatic failover for the primary instance; failover would require manual promotion, which is not automatic. Option C is wrong because daily exports and manual imports are a backup and restore strategy, not a high-availability solution; it introduces significant downtime and potential data loss, failing the automatic failover requirement. Option D is wrong because Cloud SQL for MySQL does not support cross-region replication for automatic failover; cross-region replication is available for Cloud SQL for PostgreSQL and SQL Server, but for MySQL, it is limited to read replicas, which do not provide automatic failover.

77
Multi-Selecthard

Which THREE factors should be considered when selecting a machine series for a Compute Engine instance running a memory-intensive batch job?

Select 3 answers
A.Network throughput.
B.Sustained use discount.
C.GPU availability.
D.Memory per vCPU ratio.
E.vCPU count.
AnswersA, D, E

Batch jobs often involve data transfer; higher throughput reduces time.

Why this answer

Network throughput (A) is a critical factor for a memory-intensive batch job because such jobs often involve reading or writing large datasets from persistent storage or other sources over the network. The instance series must provide sufficient network bandwidth to avoid I/O bottlenecks that could extend job completion time, even if the compute and memory resources are adequate.

Exam trap

Google Cloud often tests the distinction between factors that influence technical workload performance (like network throughput and memory ratio) versus cost-saving mechanisms (like sustained use discounts) that are applied automatically and do not affect the suitability of a machine series.

78
MCQeasy

A developer needs to grant public read access to all objects in a Cloud Storage bucket named 'my-public-assets'. What is the simplest way to achieve this?

A.Set a bucket policy that allows allUsers to read objects.
B.Grant storage.objectViewer to AllUsers on the bucket without enabling uniform bucket-level access.
C.Enable uniform bucket-level access and grant storage.objectViewer to AllUsers.
D.Set an ACL on each object to allow public read.
AnswerC

This is the recommended approach for public buckets.

Why this answer

Option C is correct: AllUsers with storage.objectViewer on the bucket grants public read access to all objects. Option A requires setting ACLs per object. Option B is for uniform bucket-level access but that would require an additional step.

Option D is wrong; bucket policy only is not sufficient without AllUsers.

79
MCQhard

An administrator creates a GKE cluster with the command above. After deployment, the cluster has 3 nodes, but the node pool autoscaler never scales up even under load. What is the most likely reason?

A.The autoscaler minimum nodes is set to 1 and maximum to 5.
B.The disk size of 100 GB is insufficient.
C.The cluster is zonal, but node locations include multiple zones.
D.The machine type e2-medium is too small for the workloads.
AnswerC

In a zonal cluster, nodes can only be in the cluster zone; node-locations is ignored.

Why this answer

Option C is correct because the node pool autoscaler in GKE cannot scale up a cluster that uses multiple zones in a single zonal cluster. The autoscaler requires that all nodes in the pool be in the same zone to properly manage capacity; when node locations span multiple zones in a zonal cluster, the autoscaler is disabled and will not trigger scaling events, even under load.

Exam trap

The trap here is that candidates often assume the autoscaler is misconfigured due to limits or resource constraints, but Cisco tests the subtle distinction that the autoscaler is disabled entirely when node locations span multiple zones in a zonal cluster.

How to eliminate wrong answers

Option A is wrong because setting minimum nodes to 1 and maximum to 5 is a valid autoscaler configuration and does not prevent scaling; it actually enables scaling within that range. Option B is wrong because a 100 GB disk size is sufficient for most workloads and disk size does not affect the autoscaler's ability to scale; the autoscaler responds to resource requests (CPU/memory), not disk capacity. Option D is wrong because the e2-medium machine type, while small, is not inherently too small for workloads; the autoscaler scales based on pending pods and resource requests, not the machine type itself, and a small machine type would actually trigger scaling if workloads exceed its capacity.

80
Multi-Selecthard

A company has a Cloud SQL for PostgreSQL instance that is experiencing high latency. They suspect a connection pooling issue. Which TWO configurations should be checked? (Choose two.)

Select 2 answers
A.Cloud SQL Auth Proxy configuration
B.max_connections database flag
C.Private IP assignment
D.Database query insights
E.Database version
AnswersA, B

Correct. The proxy handles connection pooling efficiently.

Why this answer

The Cloud SQL proxy provides secure connections and connection pooling to reduce latency. The max_connections parameter affects how many connections are allowed and can be a bottleneck. Query insights helps but is not a configuration.

Private IP vs public IP affects network path but not connection pooling per se.

81
MCQhard

A company uses a Shared VPC hosted in a common project (host project) to centralize network management. A service project team needs to create a Compute Engine instance with a specific static internal IP address from the Shared VPC subnet. What IAM permissions should be granted to the service project's Compute Engine default service account?

A.compute.networkAdmin on the host project.
B.compute.subnetworks.use on the host project subnet.
C.compute.instances.create on the service project.
D.compute.subnetworks.use and compute.addresses.use on the subnet and static IP.
AnswerD

These permissions allow using the subnet and reserving the specific IP.

Why this answer

Option B is correct: To use a specific static internal IP from a Shared VPC, the service account needs compute.subnetworks.use and compute.addresses.use on the subnet or address resource. Option A is missing compute.addresses.use. Option C grants compute.instances.create but not the necessary subnet/address permissions.

Option D is too broad and unnecessary.

82
Multi-Selecthard

Which THREE components are required to set up a private connection between an on-premises network and a VPC using Cloud VPN? (Choose three.)

Select 3 answers
A.Peer VPN gateway (on-premises).
B.Two VPN tunnels (for redundancy).
C.Cloud VPN gateway.
D.VPC Network Peering.
E.Cloud Router.
AnswersA, B, C

Required to terminate VPN on-premises.

Why this answer

Option A is correct because a Peer VPN gateway represents the on-premises VPN device that terminates the IPsec tunnel from the Cloud VPN gateway. This is a required component to establish the encrypted tunnel between your on-premises network and the VPC, as it defines the public IP address and configuration of the remote endpoint.

Exam trap

Google Cloud often tests the misconception that Cloud Router is always required for Cloud VPN, but it is only needed for dynamic BGP routing; for static routes, Cloud Router is not a mandatory component.

83
MCQeasy

A developer wants to automate the creation of a Google Cloud project with a specific VPC and firewall rules. Which tool should they use?

A.Cloud Shell
B.Cloud Console
C.Deployment Manager
D.Cloud SDK
AnswerC

Deployment Manager is Google Cloud's infrastructure as code service.

Why this answer

Deployment Manager is the correct tool because it allows you to define and manage Google Cloud resources, including projects, VPCs, and firewall rules, using declarative templates (YAML, Python, or Jinja2). This enables infrastructure-as-code (IaC) automation, which is essential for repeatable and version-controlled project creation. Unlike interactive tools, Deployment Manager handles the entire lifecycle of resources, including dependencies and updates, without manual intervention.

Exam trap

Google Cloud often tests the distinction between interactive tools (Cloud Shell, Cloud Console) and automation tools (Deployment Manager, Cloud SDK), but the trap here is that candidates confuse Cloud SDK (a set of command-line tools) with an automation framework, whereas Deployment Manager is the only option that provides declarative, template-based automation for complex multi-resource deployments.

How to eliminate wrong answers

Option A is wrong because Cloud Shell is an interactive command-line environment that provides temporary access to Cloud SDK tools, but it does not itself automate resource creation; it is merely a terminal for running commands manually. Option B is wrong because Cloud Console is a web-based GUI for manually managing resources, which is not suitable for automation and cannot be used in scripts or CI/CD pipelines. Option D is wrong because Cloud SDK is a set of command-line tools (like gcloud) that can be used to create resources individually, but it requires imperative scripting and does not provide declarative, repeatable infrastructure-as-code templates like Deployment Manager does.

84
Matchingmedium

Match each GCP storage service to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Object storage for unstructured data

Managed NFS file server

Block storage for VM instances

NoSQL database for large analytical workloads

Globally distributed relational database

Why these pairings

These are primary storage options in GCP.

85
Multi-Selecteasy

Which TWO methods can be used to restrict inbound traffic to a Compute Engine instance to only specific IP addresses without relying on instance-level firewall rules? (Choose 2)

Select 2 answers
A.Use VPC Service Controls
B.Configure Cloud Armor policies
C.Create firewall rules in the VPC network
D.Assign a service account to the instance
E.Use Identity-Aware Proxy (IAP) for TCP forwarding
AnswersC, E

Firewall rules can restrict inbound traffic based on source IP ranges.

Why this answer

Option C is correct because VPC firewall rules operate at the network level, not the instance level, and can be configured to allow inbound traffic only from specific source IP ranges (e.g., using the 'sourceRanges' field). These rules are applied to all instances in the VPC or subnet, independent of any instance-level configuration, making them a valid method to restrict traffic without relying on instance-level firewall rules.

Exam trap

Google Cloud often tests the distinction between network-level controls (VPC firewall rules) and instance-level controls (like guest OS firewalls), and candidates may incorrectly think that service accounts or VPC Service Controls can filter inbound IP traffic.

86
MCQeasy

A developer needs to pass a startup script to a Compute Engine instance during creation. Which method should be used to ensure the script runs on first boot?

A.Use gcloud compute instances create with --metadata=startup-script=...
B.Create a custom image with the script baked in.
C.Use gcloud compute instances add-metadata after creating the instance.
D.Use gcloud compute instances create with --startup-script flag.
AnswerA

This passes the startup script as instance metadata, which runs on first boot.

Why this answer

The `--metadata=startup-script=...` flag on `gcloud compute instances create` passes the script as instance metadata. Compute Engine automatically executes the value of the `startup-script` metadata key on every boot, including the first boot. This is the standard, documented method for providing a startup script at instance creation time.

Exam trap

The trap here is that candidates confuse the nonexistent `--startup-script` flag with the correct `--metadata=startup-script=...` syntax, or assume that adding metadata after creation will trigger the script on the first boot.

How to eliminate wrong answers

Option B is wrong because baking the script into a custom image makes it part of the image itself, not a dynamically assigned startup script; it would run on every boot of instances created from that image, but the question specifically asks for a method to pass the script during creation, not to embed it in the image. Option C is wrong because `gcloud compute instances add-metadata` modifies metadata on an already-running instance; the script would only run on the next boot, not on the first boot (which has already occurred). Option D is wrong because `gcloud compute instances create` does not support a `--startup-script` flag; the correct flag is `--metadata=startup-script=...`.

87
Drag & Dropmedium

Drag and drop the steps to migrate a Compute Engine VM to a different region using a snapshot into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Snapshots are global resources, but disks are regional. Create the disk in the target region, then create the VM.

88
MCQhard

A company runs a critical application on Compute Engine instances in a managed instance group (MIG) across three zones in us-central1. The application uses a Cloud Spanner database. Recently, the application experienced increased latency and timeouts during peak hours. The operations team noticed that the MIG's CPU utilization is consistently above 80% during peak hours, and the autoscaler is configured to scale based on CPU utilization with a target of 60%. However, the autoscaler is not adding new instances quickly enough, causing performance degradation. The team also observed that new instances take over 5 minutes to become healthy and serve traffic. The health check is a simple TCP check on port 8080. The application startup script downloads large configuration files from Cloud Storage. What should the team do to improve the autoscaling response time and reduce latency?

A.Increase the minimum number of instances in the MIG to handle peak load.
B.Reduce the autoscaler target CPU utilization to 40% so it scales earlier.
C.Create a custom Compute Engine image that includes the application and configuration, and use it in the MIG.
D.Change the health check to HTTP and reduce the initial delay and check intervals.
AnswerC

Custom image reduces startup time, allowing faster scaling.

Why this answer

Option C is correct because the primary bottleneck is the long instance startup time (over 5 minutes) caused by downloading large configuration files from Cloud Storage at boot. By creating a custom Compute Engine image that bakes the application and configuration into the image, new instances can start serving traffic almost immediately, drastically reducing the time before they become healthy and the autoscaler can consider them in scaling decisions. This directly addresses the root cause of slow autoscaling response, as the autoscaler cannot add instances faster than they become healthy.

Exam trap

The trap here is that candidates focus on tuning the autoscaler parameters (CPU target, health check intervals) rather than identifying the actual bottleneck—the instance startup time—which is a common misconception that autoscaling speed is purely a function of scaling policy settings.

How to eliminate wrong answers

Option A is wrong because increasing the minimum number of instances only handles baseline load, not the dynamic scaling speed during peak hours; it does not fix the slow instance startup time that delays autoscaler response. Option B is wrong because reducing the target CPU utilization to 40% would cause the autoscaler to trigger earlier, but it still cannot add instances faster than the 5-minute startup delay; it would only increase the number of pending instances without improving latency. Option D is wrong because changing the health check to HTTP and reducing intervals only affects how quickly the MIG detects an instance as healthy after it starts, but the fundamental problem is the 5-minute startup time itself—no health check tuning can make the instance boot faster.

89
MCQmedium

A company is migrating a legacy monolithic application to Google Cloud. The application runs on a single VM and uses a local MySQL database. The goal is to minimize changes to the application code while improving availability. Which strategy should the company use?

A.Use a managed instance group for the application VM and store the database on a persistent disk attached to the primary instance.
B.Re-architect the application into microservices and use Cloud Run for stateless components.
C.Lift and shift the VM to Compute Engine, and migrate the database to Cloud SQL with a failover replica.
D.Containerize the application and deploy on Google Kubernetes Engine (GKE) with Cloud Spanner as the database.
AnswerC

Minimal code changes, uses managed database with high availability.

Why this answer

Option C is correct because it minimizes code changes by lifting the application VM to Compute Engine as-is, while migrating the local MySQL database to Cloud SQL with a failover replica. This improves availability through Cloud SQL's managed automatic failover to a standby replica in a different zone, without requiring application code changes to the database connection logic (the application can continue using the same MySQL protocol).

Exam trap

The trap here is that candidates often choose Option A, mistakenly believing that a managed instance group with a persistent disk provides database high availability, but they overlook that the persistent disk cannot be shared across instances in a managed instance group without additional orchestration (e.g., regional persistent disks or a clustered filesystem), and the database process itself is not automatically failed over.

How to eliminate wrong answers

Option A is wrong because storing the database on a persistent disk attached to a single instance in a managed instance group does not provide high availability for the database; if the primary instance fails, the persistent disk cannot be attached to a new instance without manual intervention, and the database state is lost or requires complex recovery. Option B is wrong because re-architecting into microservices and using Cloud Run requires significant application code changes, contradicting the goal of minimizing changes to the application code. Option D is wrong because containerizing and deploying on GKE with Cloud Spanner requires substantial application code changes (Cloud Spanner uses a different SQL dialect and connection protocol than MySQL) and introduces unnecessary complexity, violating the requirement to minimize code changes.

90
MCQmedium

A team uses Cloud Build to build container images and deploy to Cloud Run. They want to automate deployments whenever a new image is pushed to Container Registry. What is the best approach?

A.Use Cloud Deploy with a delivery pipeline that polls for new images
B.Configure a Cloud Build trigger that runs on a push to the container image in Container Registry
C.Create a Cloud Function that subscribes to Pub/Sub and calls Cloud Run deploy
D.Set up a Cloud Scheduler job to run a script that deploys the latest image
AnswerB

Cloud Build triggers can respond to image push events directly.

Why this answer

Option B is correct because Cloud Build triggers can be configured to fire on a push to a container image in Container Registry, using the 'cloud-builds' Pub/Sub topic that Container Registry publishes to when an image is pushed. This allows Cloud Build to automatically run a build step (e.g., gcloud run deploy) to deploy the new image to Cloud Run without any polling or external infrastructure.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing Cloud Functions or Cloud Scheduler, missing the fact that Cloud Build triggers natively integrate with Container Registry's Pub/Sub events for automated, event-driven deployments.

How to eliminate wrong answers

Option A is wrong because Cloud Deploy delivery pipelines do not poll for new images; they are designed for continuous delivery with Skaffold-based configurations and require explicit triggers or manual releases, not automatic detection of image pushes. Option C is wrong because while a Cloud Function subscribing to Pub/Sub could work, it introduces unnecessary complexity and latency compared to the native Cloud Build trigger, which is the recommended and simpler approach for this exact use case. Option D is wrong because Cloud Scheduler jobs run on a fixed schedule and cannot detect new image pushes in real time, leading to either missed deployments or unnecessary redeployments of the same image.

91
Multi-Selectmedium

Which THREE are valid methods to connect an on-premises network to a Google Cloud VPC?

Select 3 answers
A.Dedicated Interconnect
B.Cloud VPN
C.Cloud Router
D.VPC peering
E.Partner Interconnect
AnswersA, B, E

Dedicated Interconnect provides direct physical connection.

Why this answer

Dedicated Interconnect (A) provides a direct physical connection between your on-premises network and Google Cloud, offering high bandwidth and a Service Level Agreement (SLA) of up to 99.99% availability. It uses a cross-connect in a colocation facility to attach your on-premises router to a Google Cloud router, enabling private, low-latency connectivity to your VPC without traversing the public internet.

Exam trap

The trap here is that candidates confuse Cloud Router as a standalone connectivity method, when it is actually a routing component that must be paired with a VPN tunnel or Interconnect to function.

92
MCQmedium

A company runs a web application on Compute Engine with an HTTP Load Balancer. Users report intermittent 502 Bad Gateway errors. What is the most likely cause?

A.Load balancer quota exceeded.
B.Firewall rules block health checks.
C.SSL certificate expired.
D.Backend instances are unhealthy or overloaded.
AnswerD

502 Bad Gateway typically means the backend is not responding properly.

Why this answer

The 502 Bad Gateway error from an HTTP Load Balancer typically indicates that the backend instances are failing to respond to the load balancer's health checks or are overwhelmed, causing the load balancer to consider them unhealthy and return a 502 error. This is the most common cause because the load balancer relies on healthy backends to forward traffic, and overloaded or failing instances cannot handle requests.

Exam trap

The trap here is that candidates often confuse 502 errors with SSL or quota issues, but the PCA exam specifically tests that 502 errors from an HTTP Load Balancer are almost always due to backend unavailability or overload, not frontend configuration problems.

How to eliminate wrong answers

Option A is wrong because exceeding a load balancer quota would result in a 429 Too Many Requests or a 503 Service Unavailable error, not a 502 Bad Gateway. Option B is wrong because firewall rules blocking health checks would cause the load balancer to mark backends as unhealthy, but the error would typically be a 502 only if the health check fails and no healthy backends remain; however, the question asks for the most likely cause, and overloaded backends are more common than misconfigured firewalls in intermittent 502 scenarios. Option C is wrong because an expired SSL certificate on the load balancer would cause SSL handshake failures and a 502 error only if the certificate is used for backend-to-load-balancer communication, but the load balancer terminates SSL and uses its own certificate; an expired certificate on the backend would not cause a 502 from the load balancer's perspective.

93
MCQeasy

Your company runs a global e-commerce platform on Google Cloud. The application is deployed across multiple regions for low latency. You use Cloud SQL for transactional data and Cloud Spanner for global consistency of inventory. Recently, the operations team reported that the application is experiencing increased latency during peak hours, and the monthly cloud bill has risen significantly. Upon investigation, you find that the Cloud SQL instance is underutilized (CPU < 20%) while Cloud Spanner split utilization is over 80%. The application instances are fronted by a global external HTTPS load balancer. Network egress costs are high. Which course of action would best address both the latency and cost issues?

A.Reduce the Cloud SQL instance tier to a lower machine type to save costs, and add read replicas in other regions for failover.
B.Add more nodes to the Cloud SQL instance and enable automatic storage increase to handle peak loads.
C.Increase the number of splits in Cloud Spanner to reduce hot spots, and configure Cloud CDN in front of the load balancer to cache static content.
D.Move the transactional database to Cloud Spanner and decommission Cloud SQL to reduce complexity.
AnswerC

Increasing splits improves Spanner performance; Cloud CDN reduces egress costs and latency for static content.

Why this answer

The symptoms suggest that the Cloud SQL instance is underutilized, but Cloud Spanner is near capacity, causing potential contention. The high egress costs could be due to cross-region traffic. Option C is the best because scaling Cloud Spanner split utilization (by adding splits or nodes) will improve throughput and reduce latency, and using Cloud CDN reduces egress costs by caching content at edge locations.

Option A might increase costs without addressing Spanner bottleneck. Option B adds more Cloud SQL instances, which are already underutilized. Option D focuses on cloud SQL only, not Spanner.

94
MCQhard

A company has a global web application deployed across multiple regions. They use an external HTTPS Load Balancer with backend services in us-central1 and europe-west1. They want users to be routed to the closest healthy backend. Which load balancing configuration is required?

A.Internal HTTP(S) Load Balancer
B.External HTTPS Load Balancer with global backend
C.External TCP/UDP Network Load Balancer
D.Classic Application Load Balancer
E.Regional external HTTPS Load Balancer
AnswerB

Correct. Global external HTTPS Load Balancer supports proximity-based routing.

Why this answer

Option B is correct because an External HTTPS Load Balancer with a global backend configuration uses Google Cloud's global anycast IP and the Premium Tier network to route users to the closest healthy backend based on latency and proximity. This setup ensures that traffic from users worldwide is directed to the nearest region (us-central1 or europe-west1) with a healthy instance group, providing optimal performance and failover.

Exam trap

The trap here is that candidates often confuse 'global' with 'regional' load balancers, mistakenly thinking a regional external HTTPS load balancer can serve multiple regions, but only the global external HTTPS load balancer supports cross-region backend services with anycast routing.

How to eliminate wrong answers

Option A is wrong because an Internal HTTP(S) Load Balancer is used for traffic within a VPC network, not for external user traffic from the internet. Option C is wrong because an External TCP/UDP Network Load Balancer operates at Layer 4 and does not support HTTPS termination, content-based routing, or global backend selection across regions. Option D is wrong because Classic Application Load Balancer is a legacy GCP resource that does not support global backends or cross-region routing; it is regionally scoped.

Option E is wrong because a Regional external HTTPS Load Balancer is confined to a single region and cannot route traffic to backends in multiple regions like us-central1 and europe-west1.

95
MCQmedium

A company is migrating hundreds of on-premises VMs to Compute Engine. They want to minimize manual effort and downtime. Which service should they use?

A.Cloud Build
B.gcloud compute instances import
C.Transfer Appliance
D.Migrate for Compute Engine
E.CloudEndure
AnswerD

Correct. It supports bulk migration with minimal downtime.

Why this answer

Migrate for Compute Engine (formerly Velostrata) is the correct choice because it is a fully managed service specifically designed for migrating large-scale VM workloads to Compute Engine with minimal downtime. It uses a streaming migration approach that moves the OS and application data while the source VM continues running, then performs a cutover with near-zero downtime, making it ideal for hundreds of VMs without manual effort.

Exam trap

The trap here is that candidates may confuse CloudEndure (a popular third-party migration tool) with a native Google Cloud service, or assume gcloud compute instances import is sufficient for large-scale live migrations, but the exam emphasizes using the dedicated, fully managed migration service for minimal downtime and automation.

How to eliminate wrong answers

Option A (Cloud Build) is wrong because it is a CI/CD service for building, testing, and deploying software artifacts, not for migrating on-premises VMs to Compute Engine. Option B (gcloud compute instances import) is wrong because it is a command-line tool for importing single VM images or disks, not designed for orchestrating hundreds of live VM migrations with minimal downtime. Option C (Transfer Appliance) is wrong because it is a physical hardware device for offline bulk data transfer to Google Cloud, not suitable for live VM migration with minimal downtime.

Option E (CloudEndure) is wrong because it is an AWS service (now part of AWS Application Migration Service), not a Google Cloud service; while it can migrate to GCP, it is not a native Google Cloud offering and the question asks for a service they should use, implying a Google-managed solution.

96
MCQmedium

A team manages a GKE cluster with node pools using different machine types. They plan to upgrade the cluster to a new Kubernetes version. What is the safest upgrade strategy to minimize application downtime?

A.Perform a rolling upgrade by draining all nodes simultaneously.
B.Create a new cluster with the desired version and migrate workloads.
C.Use a surge upgrade to add new nodes before removing old ones.
D.Upgrade the node pool configuration one by one.
AnswerC

Surge upgrade maintains capacity during the upgrade, minimizing disruption.

Why this answer

Option C is correct because a surge upgrade in GKE adds new nodes with the desired Kubernetes version before removing old nodes, ensuring capacity is maintained throughout the process. This minimizes application downtime by allowing pods to be rescheduled onto new nodes before old nodes are drained, following a controlled rolling update pattern that respects PodDisruptionBudgets.

Exam trap

Google Cloud often tests the misconception that draining all nodes simultaneously is a valid rolling upgrade strategy, when in fact it causes complete downtime and violates Kubernetes best practices for workload availability.

How to eliminate wrong answers

Option A is wrong because draining all nodes simultaneously would remove all running pods at once, causing complete application downtime and violating PodDisruptionBudgets if configured. Option B is wrong because creating a new cluster and migrating workloads requires manual or tool-based migration, which introduces significant operational overhead and potential downtime during the cutover, and is not the safest or most efficient strategy for an existing cluster. Option D is wrong because upgrading node pool configuration one by one does not specify a surge or rolling mechanism; without surge, it would drain nodes in the pool sequentially, potentially causing capacity shortages and downtime if the pool is under-provisioned.

97
MCQmedium

Refer to the exhibit. A user reports that the instance 'batch-vm' is unavailable. Based on the output, what is the most likely cause of the unavailability?

A.The VM was stopped manually by a user.
B.The preemptible VM was terminated by Google due to its preemptible nature.
C.The VM lost its external IP address.
D.The VM crashed due to an out-of-memory error.
AnswerB

Preemptible instances can be terminated at any time, and the status is TERMINATED.

Why this answer

The exhibit shows the instance 'batch-vm' with a status of 'TERMINATED' and the 'preemptible' flag set to 'true'. Preemptible VMs in Google Cloud have a maximum runtime of 24 hours and can be terminated at any time by Google Compute Engine due to resource constraints. The termination reason is typically 'preemption', which matches the scenario of a user reporting unavailability without manual intervention.

Exam trap

Google Cloud often tests the distinction between 'STOPPED' (user-initiated, billable for attached resources) and 'TERMINATED' (preempted or deleted, no longer billable), and candidates confuse preemption with a manual stop or a crash.

How to eliminate wrong answers

Option A is wrong because a manual stop would show the VM status as 'STOPPED' (not 'TERMINATED') and would not be caused by Google's infrastructure; the exhibit does not indicate any user-initiated stop action. Option C is wrong because losing an external IP address does not terminate a VM; the VM would still be running (status 'RUNNING') but inaccessible via that IP, and the exhibit shows the VM as 'TERMINATED'. Option D is wrong because an out-of-memory error would cause the VM to become unresponsive or crash, but the VM would remain in a 'RUNNING' or 'STOPPING' state, not transition to 'TERMINATED'; termination is a distinct lifecycle state typically triggered by preemption, deletion, or explicit stop.

98
MCQmedium

A company has Compute Engine instances in us-east1-a and us-east1-b zones. They want to allow communication between these instances with minimal latency and no additional cost. What is the best networking approach?

A.Configure VPC Network Peering between two separate VPC networks.
B.Use a single VPC network that includes both zones.
C.Create a new subnet in each zone and use Cloud NAT.
D.Set up a Cloud VPN between the zones.
AnswerB

Instances in the same VPC network can communicate using internal IPs with low latency.

Why this answer

A single VPC network spans all regions and zones, allowing instances in different zones (us-east1-a and us-east1-b) to communicate using internal IP addresses with low latency and no additional cost. This is because VPC networks provide flat, global networking by default, and traffic between zones within the same VPC uses Google's internal backbone without incurring egress charges.

Exam trap

The trap here is that candidates may overcomplicate the solution by thinking they need separate networks or VPNs for zone-to-zone communication, when in fact a single VPC inherently supports flat, cost-free internal connectivity across zones.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering is used to connect separate VPC networks, which adds complexity and is unnecessary when instances are in the same VPC; it also does not reduce latency or cost compared to a single VPC. Option C is wrong because Cloud NAT is designed for outbound internet access from private instances, not for inter-zone communication, and it would introduce additional latency and cost. Option D is wrong because Cloud VPN is a site-to-site VPN solution for connecting on-premises networks or different VPCs across regions, not for intra-VPC zone-to-zone communication, and it adds latency and cost.

99
MCQmedium

An organization is migrating a MySQL database to Cloud SQL. They require automatic failover with zero data loss in the event of a zone outage. Which configuration should they use?

A.Cloud SQL with a cross-region replica.
B.Cloud SQL with automated backups and binary logging.
C.Cloud SQL with a read replica in a different zone.
D.Cloud SQL with high availability (HA) configuration.
AnswerD

HA uses synchronous replication in two zones, providing automatic failover with no data loss.

Why this answer

Option D is correct because Cloud SQL's high availability (HA) configuration uses a synchronous write to a standby instance in a different zone within the same region. This ensures that every transaction committed on the primary is also committed on the standby before acknowledging the client, guaranteeing zero data loss during a zone outage. Automatic failover to the standby occurs with no manual intervention, meeting both the automatic failover and zero data loss requirements.

Exam trap

The trap here is that candidates often confuse a read replica (which uses asynchronous replication and requires manual promotion) with an HA standby (which uses synchronous replication and automatic failover), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because a cross-region replica uses asynchronous replication, which can result in data loss of up to several seconds of transactions during a failover, failing the zero data loss requirement. Option B is wrong because automated backups and binary logging provide point-in-time recovery from a backup, but they do not provide automatic failover; recovery requires manual intervention and can lose transactions committed after the last backup. Option C is wrong because a read replica in a different zone is designed for read scaling, not for automatic failover; promoting a read replica to primary is a manual process and the replica uses asynchronous replication, risking data loss.

100
Multi-Selectmedium

Which TWO are required to allow on-premises hosts to access Google APIs using internal IP addresses (Private Google Access)? (Choose 2)

Select 2 answers
A.A Cloud Interconnect or Cloud VPN connection between on-premises and VPC
B.A Cloud Router instance configured in the on-premises network
C.VPC Service Controls enabled
D.Private Google Access enabled on the subnet that the on-premises traffic will use
E.A private DNS zone for googleapis.com
AnswersA, D

Provides network connectivity between on-premises and GCP.

Why this answer

A Cloud Interconnect or Cloud VPN connection is required to establish private, encrypted connectivity between on-premises hosts and a VPC network. This provides the network path for on-premises traffic to reach Google APIs using internal IP addresses, bypassing the public internet. Without this direct connection, on-premises hosts cannot leverage Private Google Access, which only applies to traffic originating within Google Cloud subnets.

Exam trap

Google Cloud often tests the misconception that a Cloud Router or DNS zone is required for Private Google Access, but the core requirement is simply the private network connectivity (Cloud Interconnect or Cloud VPN) and the subnet-level feature enablement.

101
Multi-Selecteasy

A DevOps team is deploying a microservices application on Google Kubernetes Engine (GKE). They want to ensure that the pods can securely access Google Cloud APIs (e.g., Cloud Storage) without managing service account keys. Which TWO steps should they take? (Choose two.)

Select 2 answers
A.Create a dedicated GCP service account with necessary roles and bind it to Kubernetes service accounts via Workload Identity.
B.Use the Compute Engine default service account on each node.
C.Use a secrets management solution like HashiCorp Vault to store service account keys and retrieve them at runtime.
D.Enable Workload Identity on the GKE cluster.
E.Store service account keys in a Kubernetes Secret and mount them into pods.
AnswersA, D

This grants minimal required permissions to the workload, following the principle of least privilege, and leverages Workload Identity for secure access.

Why this answer

Option A is correct because Workload Identity allows you to bind a Kubernetes service account to a GCP service account, enabling pods to authenticate to Google Cloud APIs (e.g., Cloud Storage) without managing or storing service account keys. This eliminates the security risk of key leakage and simplifies credential rotation. Option D is correct because Workload Identity must be explicitly enabled on the GKE cluster (using the `--workload-pool` flag or via the console) before the binding can be established.

Exam trap

Google Cloud often tests the misconception that storing keys in Kubernetes Secrets or using node-level default service accounts is acceptable for secure API access, when in fact Workload Identity is the recommended, keyless approach for GKE.

102
MCQhard

A company is using Cloud Storage to store sensitive data. They need to enforce that objects are deleted exactly 30 days after creation. Which object lifecycle rule should they configure?

A.AbortIncompleteMultipartUpload after 30 days.
B.Delete action with condition daysFromNonCurrentTime: 30.
C.Delete action with condition age: 30.
D.SetStorageClass to Nearline after 30 days.
AnswerC

Deletes objects 30 days after creation.

Why this answer

Option C is correct because the 'Delete action with condition age: 30' directly instructs Cloud Storage to remove objects 30 days after their creation time. The 'age' condition is measured from the object's creation timestamp, which aligns perfectly with the requirement to delete objects exactly 30 days after creation.

Exam trap

Google Cloud often tests the distinction between 'age' (based on creation time) and 'daysFromNonCurrentTime' (based on versioning status), leading candidates to confuse deletion of current objects with cleanup of older versions.

How to eliminate wrong answers

Option A is wrong because AbortIncompleteMultipartUpload is used to cancel incomplete multipart uploads after a specified number of days, not to delete completed objects. Option B is wrong because 'daysFromNonCurrentTime' applies to non-current object versions in a versioned bucket, not to the creation time of the current object. Option D is wrong because SetStorageClass to Nearline changes the storage class to a colder tier but does not delete the object; it only modifies the cost and retrieval latency.

103
MCQeasy

A developer wants to deploy a stateless web application that automatically scales based on HTTP traffic. The application should be cost-effective and require minimal configuration. Which compute option is best?

A.App Engine Standard Environment
B.Cloud Functions
C.Compute Engine managed instance group
D.Cloud Run
E.Google Kubernetes Engine
AnswerD

Correct. Cloud Run scales automatically and is simple to deploy.

Why this answer

Cloud Run is the best choice because it automatically scales to zero when idle, scales up to handle HTTP traffic spikes, and requires minimal configuration—just deploy a container. It is cost-effective as you pay only for resources used during request processing, and it supports stateless web applications natively without managing servers or clusters.

Exam trap

The trap here is that candidates often confuse Cloud Run with Cloud Functions, thinking both are equivalent for web applications, but Cloud Functions is limited to event-driven triggers and cannot serve a full web app with persistent HTTP connections.

How to eliminate wrong answers

Option A is wrong because App Engine Standard Environment, while serverless, has more restrictive runtime environments and may require code modifications to fit its sandbox, whereas Cloud Run offers more flexibility with any container. Option B is wrong because Cloud Functions is designed for event-driven, short-lived functions, not for a full stateless web application that handles continuous HTTP traffic. Option C is wrong because Compute Engine managed instance groups require manual configuration of autoscaling policies, instance templates, and health checks, and do not scale to zero, leading to higher costs during idle periods.

Option E is wrong because Google Kubernetes Engine requires cluster management, node configuration, and more operational overhead, making it less minimal in configuration compared to Cloud Run's fully managed serverless container platform.

104
MCQhard

A Cloud Router BGP session is flapping. The logs show 'Interface flapping due to changes in the underlying network'. What is the most likely cause?

A.MTU mismatch across the network path.
B.BGP MD5 authentication failure.
C.Incorrect local AS number in Cloud Router configuration.
D.BGP timer misconfiguration between peers.
AnswerA

MTU mismatch can cause intermittent packet loss, leading to BGP session flapping.

Why this answer

The log message 'Interface flapping due to changes in the underlying network' indicates that the BGP session is unstable because the physical or logical interface is going up and down. An MTU mismatch across the network path can cause packet fragmentation issues, leading to intermittent connectivity and interface flaps as the router detects and recovers from the problem. This is the most likely cause because it directly affects the stability of the underlying network path.

Exam trap

The trap here is that candidates often associate BGP flapping with timer misconfigurations or authentication issues, but the specific log message about 'changes in the underlying network' points directly to a Layer 2 or path-level problem like MTU mismatch, not BGP protocol errors.

How to eliminate wrong answers

Option B is wrong because BGP MD5 authentication failure would generate authentication error messages, not interface flapping logs, and would prevent the session from establishing rather than cause intermittent flaps. Option C is wrong because an incorrect local AS number in Cloud Router configuration would cause a BGP open message error and the session would fail to establish entirely, not flap due to interface changes. Option D is wrong because BGP timer misconfiguration (e.g., hold time or keepalive) would cause the session to time out and reset, but the log specifically mentions 'changes in the underlying network', not timer expiry.

105
Multi-Selecthard

A company is designing a highly available web application on Google Cloud. The application consists of stateless compute instances behind a global HTTP(S) Load Balancer. The compute instances must be able to handle sudden spikes in traffic. Which TWO strategies should the company implement? (Choose two.)

Select 2 answers
A.Use Cloud CDN to cache all responses from the application servers.
B.Use a managed instance group with autoscaling based on CPU utilization.
C.Use a single Compute Engine instance in a single zone with a large machine type.
D.Use a global HTTP(S) Load Balancer with backends in multiple regions.
E.Use vertical scaling by selecting a machine type with more vCPUs and memory.
AnswersB, D

Autoscaling handles spikes by adding instances.

Why this answer

Option B is correct because a managed instance group with autoscaling based on CPU utilization automatically adjusts the number of stateless compute instances in response to traffic spikes, ensuring the application can handle sudden load increases without manual intervention. This aligns with the requirement for stateless instances behind a global load balancer, as autoscaling adds or removes instances based on real-time CPU metrics, providing elasticity and high availability.

Exam trap

The trap here is that candidates often confuse caching (Cloud CDN) with compute scaling, or assume vertical scaling (larger machine types) is sufficient for sudden spikes, ignoring the need for horizontal elasticity and multi-zone redundancy in a highly available architecture.

106
MCQeasy

A developer needs to deploy a containerized application on Google Kubernetes Engine (GKE) with minimal operational overhead. They want to automatically scale the number of pods based on CPU utilization. Which GKE feature should they use?

A.Horizontal Pod Autoscaler.
B.Node auto-repair.
C.Vertical Pod Autoscaler.
D.Cluster Autoscaler.
AnswerA

HPA scales pods based on metrics like CPU.

Why this answer

The Horizontal Pod Autoscaler (HPA) is the correct choice because it automatically scales the number of pod replicas in a GKE deployment based on observed CPU utilization (or other custom metrics). This directly meets the requirement of scaling pods with minimal operational overhead, as HPA is a native Kubernetes resource that requires no manual intervention once configured.

Exam trap

Google Cloud often tests the distinction between horizontal scaling (HPA) and vertical scaling (VPA), where candidates mistakenly choose VPA when the question explicitly asks for scaling the number of pods based on CPU utilization.

How to eliminate wrong answers

Option B (Node auto-repair) is wrong because it automatically repairs unhealthy nodes in the node pool, not scales pods based on CPU utilization. Option C (Vertical Pod Autoscaler) is wrong because it adjusts the CPU and memory requests/limits of existing pods (vertical scaling), not the number of pod replicas (horizontal scaling). Option D (Cluster Autoscaler) is wrong because it adds or removes nodes from the cluster based on pod scheduling needs, not directly scaling pods based on CPU utilization.

107
MCQhard

A global e-commerce site uses an external HTTPS load balancer with a backend service pointing to a managed instance group. Some users report 503 errors during peak traffic. The backend instances are healthy and not overloaded. What is the most likely cause?

A.The CDN cache is not warming up properly
B.The backend service's health check interval is too short
C.The SSL certificate is expired
D.The load balancer's max rate per backend is configured too low
AnswerD

The load balancer enforces a rate limit at the backend level; exceeding it produces 503.

Why this answer

A 503 error from an external HTTPS load balancer with healthy backends typically indicates that the load balancer is throttling requests. The 'max rate per backend' setting limits the number of requests per second that the load balancer forwards to each backend instance. When this limit is exceeded, the load balancer returns 503 errors even though the instances themselves are not overloaded, which matches the scenario of peak traffic.

Exam trap

Google Cloud often tests the misconception that 503 errors always indicate backend overload or health check failures, when in fact the load balancer's rate limiting configuration can cause 503s with perfectly healthy instances.

How to eliminate wrong answers

Option A is wrong because CDN cache warming affects cache hit ratios and latency, not 503 errors from the load balancer; a cold cache would cause more origin requests but not throttling. Option B is wrong because a health check interval that is too short could cause flapping or false unhealthy status, but the question states backend instances are healthy and not overloaded, so health checks are passing. Option C is wrong because an expired SSL certificate would cause TLS handshake failures (e.g., ERR_CERT_DATE_INVALID) and 502 or connection errors, not 503 errors from the load balancer itself.

108
MCQeasy

A company wants to minimize egress costs for data transferred between Compute Engine instances in the same region but different zones. What is the best practice?

A.Use a VPN connection.
B.Use internal IPs and ensure they are in the same VPC.
C.Use Cloud NAT.
D.Use external IPs for all instances.
AnswerB

Internal IP traffic within the same VPC and region is free.

Why this answer

B is correct because data transfer between Compute Engine instances in the same region but different zones uses internal IP addresses within the same VPC, which incurs no egress costs. Google Cloud does not charge for traffic between instances using internal IPs within the same region, regardless of zone, as long as they are in the same VPC network. This is the most cost-effective approach for minimizing egress costs.

Exam trap

The trap here is that candidates often confuse 'different zones' with 'different regions' and assume egress costs apply, or they mistakenly think that using external IPs or NAT is necessary for inter-instance communication, when in fact internal IPs within the same VPC and region are free and optimal.

How to eliminate wrong answers

Option A is wrong because using a VPN connection introduces additional complexity and does not reduce egress costs; VPN traffic still traverses the internet or uses Cloud VPN tunnels, which incur egress charges. Option C is wrong because Cloud NAT is used for outbound internet access from private instances and does not affect inter-instance traffic costs within the same region; it would add unnecessary overhead and potential costs. Option D is wrong because using external IPs for all instances forces traffic to go through the internet or Google's external network, incurring egress charges even within the same region, which is the opposite of minimizing costs.

109
Multi-Selecthard

Which THREE are valid Google Cloud Dedicated Interconnect connection options?

Select 3 answers
A.High availability (HA) with two 10 Gbps circuits.
B.10 Gbps single circuit.
C.IPsec VPN tunnel as a backup to the interconnect.
D.Partner Interconnect offering via a service provider.
E.100 Gbps single circuit.
AnswersA, B, E

HA option provides redundancy.

Why this answer

Option A is correct because Google Cloud Dedicated Interconnect supports high availability configurations using two 10 Gbps circuits to provide redundancy and meet SLA requirements. This setup ensures that if one circuit fails, traffic can be rerouted through the other, maintaining connectivity.

Exam trap

Google Cloud often tests the distinction between Dedicated Interconnect and Partner Interconnect, and the fact that IPsec VPN is a separate backup option, not a connection type for Dedicated Interconnect.

110
MCQeasy

An administrator is configuring firewall rules in a VPC. Two rules apply to the same traffic: rule 1 allows ingress from 0.0.0.0/0 on TCP 80, rule 2 denies ingress from 10.0.0.0/8 on TCP 80. Rule 1 has priority 1000, rule 2 has priority 500. What is the effective behavior for traffic from 10.0.0.1?

A.The result is unpredictable without knowing the rule creation order.
B.Traffic is allowed because allow rules override deny rules.
C.Traffic is denied because rule 2 has higher priority.
D.Traffic is allowed because rule 1 has a lower priority number.
AnswerC

Rule 2 (priority 500) has higher priority than rule 1 (priority 1000), so deny applies.

Why this answer

In AWS VPC Network ACLs (NACLs), rules are evaluated in priority order, with lower numbers having higher priority. Rule 2 (priority 500) is evaluated before rule 1 (priority 1000), and since rule 2 explicitly denies traffic from 10.0.0.0/8 on TCP 80, traffic from 10.0.0.1 is denied regardless of rule 1's allow. NACLs are stateless and do not have an implicit override between allow and deny; the first matching rule determines the outcome.

Exam trap

Google Cloud often tests the misconception that allow rules override deny rules or that rule creation order matters, but the trap here is that candidates confuse priority numbers (lower = higher priority) and assume a higher number means higher priority.

How to eliminate wrong answers

Option A is wrong because rule creation order does not affect evaluation; only the priority number matters. Option B is wrong because allow rules do not inherently override deny rules; the rule with the highest priority (lowest number) that matches the traffic is applied. Option D is wrong because a lower priority number means higher priority, not lower; rule 1 has a higher priority number (1000) and thus lower priority, so it is not evaluated before rule 2.

111
MCQeasy

A service account needs to be able to start and stop Compute Engine instances in a specific project. Which IAM role should be assigned at the project level?

A.roles/iam.serviceAccountUser
B.roles/editor
C.roles/compute.viewer
D.roles/compute.instanceAdmin.v1
AnswerD

Grants necessary permissions to start and stop instances.

Why this answer

The correct answer is D, roles/compute.instanceAdmin.v1, because this role grants the necessary permissions to start, stop, and manage Compute Engine instances, including operations like instances.start and instances.stop, at the project level. This role is specifically designed for managing compute resources without granting broader project-level access like editing all resources.

Exam trap

Google Cloud often tests the distinction between primitive roles (like roles/editor) and predefined roles (like roles/compute.instanceAdmin.v1), where candidates mistakenly choose the broader role due to its apparent convenience, overlooking the principle of least privilege and the specific permissions required for the task.

How to eliminate wrong answers

Option A is wrong because roles/iam.serviceAccountUser grants permission to impersonate service accounts, not to manage Compute Engine instances; it allows attaching a service account to a resource but does not include compute.instance.start or compute.instance.stop. Option B is wrong because roles/editor is a broad, primitive role that grants full edit access to all resources in the project, including Compute Engine, but it violates the principle of least privilege by providing excessive permissions beyond what is needed for instance management. Option C is wrong because roles/compute.viewer only provides read-only permissions to view Compute Engine resources (e.g., compute.instances.list, compute.instances.get) and does not include any write or action permissions like starting or stopping instances.

112
MCQeasy

A team wants to allow a service account to be used only on specific Compute Engine VMs. Which IAM condition should be applied to the service account's roles?

A.resource.service
B.resource.owner
C.resource.name
D.resource.type
E.resource.labels
AnswerC

Correct. resource.name can be used to restrict to specific resources.

Why this answer

Option C is correct because the `resource.name` IAM condition allows you to restrict a service account's roles to specific Compute Engine VM instances by matching the VM's resource name (e.g., `projects/project-id/zones/zone/instances/instance-name`). This ensures the service account can only be used on designated VMs, enforcing fine-grained access control.

Exam trap

Google Cloud often tests the misconception that `resource.type` or `resource.labels` can restrict access to a specific VM, but only `resource.name` provides a unique identifier for a single instance, while labels are for grouping and can change over time.

How to eliminate wrong answers

Option A is wrong because `resource.service` is not a valid IAM condition attribute for Compute Engine VMs; it is used in other services like Cloud Storage to match the service name. Option B is wrong because `resource.owner` is not a standard IAM condition attribute; IAM conditions use resource attributes like `resource.name`, not ownership metadata. Option D is wrong because `resource.type` refers to the resource type (e.g., `compute.googleapis.com/Instance`), which cannot narrow access to specific VMs—it applies to all VMs of that type.

Option E is wrong because `resource.labels` can filter VMs by label key-value pairs, but it does not uniquely identify a specific VM instance; labels are mutable and can be shared across multiple VMs, making them unsuitable for restricting to a single VM.

113
MCQmedium

A company wants to migrate on-premises workloads to Google Cloud. They need to assess the existing infrastructure, plan the migration, and track progress. Which tool should they use?

A.Cloud Endpoints.
B.Cloud Deployment Manager.
C.Cloud Foundation Toolkit.
D.Migrate for Compute Engine.
AnswerD

Provides assessment and migration capabilities.

Why this answer

Migrate for Compute Engine (formerly Velostrata) is the correct tool because it is specifically designed to assess, plan, and migrate on-premises workloads to Google Cloud. It provides discovery of existing infrastructure, generates migration plans, and tracks progress through a dashboard, directly addressing the need for assessment, planning, and tracking.

Exam trap

The trap here is that candidates may confuse Cloud Foundation Toolkit (a foundation setup tool) with a migration tool, or assume Cloud Deployment Manager can handle migration planning, when in fact only Migrate for Compute Engine provides the full assessment-to-tracking workflow.

How to eliminate wrong answers

Option A is wrong because Cloud Endpoints is an API management service for securing and monitoring APIs, not a migration assessment or planning tool. Option B is wrong because Cloud Deployment Manager is an infrastructure-as-code tool for deploying Google Cloud resources using templates, not for assessing or migrating on-premises workloads. Option C is wrong because Cloud Foundation Toolkit provides Terraform templates and best practices for setting up a Google Cloud foundation (e.g., projects, networking), but it does not include discovery, assessment, or migration tracking for existing on-premises workloads.

114
MCQmedium

A web application running on Compute Engine behind a global HTTP(S) load balancer experiences high latency during traffic spikes. Which quick fix would best address this issue without changing the architecture?

A.Configure managed instance group autoscaling to add more instances.
B.Enable Cloud CDN on the load balancer.
C.Switch to a regional load balancer to reduce latency.
D.Increase the machine type of the backend instances.
AnswerA

Horizontal scaling quickly increases capacity.

Why this answer

Managed instance group (MIG) autoscaling dynamically adds more instances when CPU utilization or other metrics exceed a threshold, directly absorbing the increased traffic during spikes. This is the quickest fix because it requires no architectural changes—just configuring autoscaling parameters on the existing MIG. By scaling out horizontally, the load balancer can distribute requests across more backends, reducing per-instance load and latency.

Exam trap

Google Cloud often tests the distinction between horizontal scaling (autoscaling) and vertical scaling (increasing machine type) or caching solutions, leading candidates to choose Cloud CDN or machine type changes as a 'quick fix' when the real issue is insufficient compute capacity to handle dynamic request spikes.

How to eliminate wrong answers

Option B is wrong because enabling Cloud CDN caches static content at edge locations, which does not help with high latency caused by dynamic request processing during traffic spikes—CDN only reduces latency for cacheable content, not for the dynamic workload that is overwhelming the backend. Option C is wrong because switching to a regional load balancer would actually increase latency for global users, as it lacks the anycast IP and global distribution of the global HTTP(S) load balancer, and it requires architectural changes (e.g., changing the load balancer type). Option D is wrong because increasing the machine type (vertical scaling) is not a quick fix—it requires instance recreation or rolling update, and it does not scale as elastically as horizontal autoscaling; it also may not handle sudden spikes as effectively as adding more instances.

115
MCQhard

A company runs an e-commerce platform on Google Cloud. The application is deployed on Google Kubernetes Engine (GKE) with a regional cluster (us-central1, three zones). The frontend service is exposed via an HTTP Load Balancer with Cloud CDN. Recently, during a flash sale, users experienced high latency and occasional 502 errors. The backend service is a Java application that reads from Cloud Spanner. The team has observed that Spanner CPU utilization averaged 65% during the sale, with a few spikes to 80%. The number of frontend pods was auto-scaled to 50, each running on n1-standard-2 nodes. The node pool is set to autoscale up to 100 nodes. The errors appear to correlate with periods of high CPU on the nodes, but not always. What is the most likely cause and recommended action?

A.Scale up the Cloud Spanner instance to handle higher peak CPU, as the 80% spikes indicate insufficient capacity.
B.Change the backend service to use a multi-zone NEG that includes endpoints from all three zones, and ensure the load balancer is configured for cross-zone load balancing.
C.Increase the CPU request for the frontend pods and set a higher target CPU utilization for the Horizontal Pod Autoscaler.
D.Increase the health check interval and timeout settings to give pods more time to respond before being marked unhealthy.
AnswerB

This ensures traffic is distributed evenly across zones, reducing cross-zone latency and preventing a single zone from being overloaded.

Why this answer

The high latency and 502 errors are likely caused by the HTTP Load Balancer sending requests to unhealthy backend pods due to zone-imbalanced traffic. A regional GKE cluster with a multi-zone NEG and cross-zone load balancing ensures that the load balancer distributes requests evenly across all pods in all three zones, preventing node CPU spikes in a single zone from causing errors. Option B directly addresses this by enabling proper traffic distribution, which is the most probable root cause given that node CPU spikes correlate with errors but not always.

Exam trap

The trap here is that candidates focus on scaling the database (Spanner) or adjusting pod-level configurations, when the real issue is zone-imbalanced traffic distribution from the HTTP Load Balancer, a common misdiagnosis in multi-zone GKE setups.

How to eliminate wrong answers

Option A is wrong because Spanner CPU at 65% average with spikes to 80% is well within acceptable limits (Spanner can handle up to 65-70% sustained CPU before needing scaling, and 80% spikes are transient); the errors correlate with node CPU, not Spanner CPU, so scaling Spanner would not resolve the issue. Option C is wrong because increasing CPU requests and HPA target utilization would reduce pod density per node, potentially worsening node CPU spikes and not addressing the load balancer's zone-imbalanced traffic distribution. Option D is wrong because increasing health check intervals and timeouts would make the load balancer slower to detect unhealthy pods, increasing the chance of routing traffic to failing pods and exacerbating 502 errors, not reducing them.

116
MCQeasy

A user wants to store a database password that will be used by a Compute Engine instance. What is the most secure and manageable approach?

A.Use Secret Manager and grant the instance's service account access to the secret
B.Set the password as an environment variable in instance metadata
C.Store the password in Cloud Storage bucket metadata
D.Store the password in a file on the instance's boot disk
AnswerA

Secret Manager is the recommended way to store secrets with fine-grained access control.

Why this answer

Secret Manager is the most secure and manageable approach because it provides encrypted storage, automatic rotation, and fine-grained access control via IAM. By granting the Compute Engine instance's service account access to the secret, the password is never exposed in plaintext metadata, logs, or disk files, and access can be audited and revoked independently of the instance lifecycle.

Exam trap

Google Cloud often tests the misconception that instance metadata is a secure place for secrets because it is 'internal' to the project, but in reality, metadata is accessible to any process on the instance and is logged, making it unsuitable for sensitive data.

How to eliminate wrong answers

Option B is wrong because setting the password as an environment variable in instance metadata exposes it in the metadata server, which can be accessed by any process on the instance or via the metadata API, and it is logged in Cloud Audit Logs. Option C is wrong because Cloud Storage bucket metadata is not designed for secrets; it is unencrypted at rest by default, accessible via the Storage API, and lacks IAM-level access control for individual metadata entries. Option D is wrong because storing the password in a file on the instance's boot disk persists the secret in the filesystem, making it vulnerable to snapshot exports, disk cloning, and unauthorized OS-level access, and it cannot be centrally managed or rotated.

← PreviousPage 2 of 2 · 116 questions total

Ready to test yourself?

Try a timed practice session using only Manage Provision Infra questions.