CCNA Pca Managing Provisioning Questions

75 of 87 questions · Page 1/2 · Pca Managing Provisioning topic · Answers revealed

1
MCQmedium

A team is using Cloud Functions with a Cloud Storage trigger. They notice that sometimes the function does not execute after a file is uploaded. What is the most likely cause?

A.The Cloud Functions region is different from the bucket region
B.The function's memory limit is too low
C.The Cloud Storage bucket has object versioning enabled which changes event semantics
D.The function has too many concurrent invocations
AnswerC

When object versioning is enabled, the event type for new uploads remains 'finalize', but if you are using the 'archive' event for old versions, that could cause issues. However, the most common root cause is misconfigured event filters.

Why this answer

Cloud Storage triggers use event notifications; if the bucket has object versioning enabled and the event type is not configured correctly, or if the function's event filter is too restrictive, it may not trigger. A common oversight is not setting the event type to 'google.storage.object.finalize'.

2
MCQhard

Your organization uses a Shared VPC to centrally manage network resources. A project that is not the host project needs to create a Cloud SQL instance using a private IP in the Shared VPC. What must be configured?

A.Create a VPC peering between the service project and the host project
B.Grant the service project the 'compute.networkUser' role on the VPC network
C.Use Cloud NAT to allow the Cloud SQL instance to communicate
D.Enable the Service Networking API and allocate an IP range for the Cloud SQL instance
AnswerD

Correct. Private services access requires allocating an IP range and establishing a connection.

Why this answer

For a service project to allocate private IP in a Shared VPC, the Shared VPC host project must grant the service project the 'compute.networkUser' role on the subnetwork. Additionally, the service project needs the Service Networking API enabled and a private service access connection.

3
MCQmedium

A company wants to grant a service account in Project A the ability to push containers to Artifact Registry in Project B. They want to follow the principle of least privilege. Which IAM roles should they assign?

A.Grant the service account the Storage Object Admin role (roles/storage.objectAdmin) on Project B
B.Grant the service account the Artifact Registry Writer role (roles/artifactregistry.writer) on the repository in Project B
C.Grant the service account the Artifact Registry Admin role (roles/artifactregistry.admin) on the repository in Project B
D.Grant the service account the Artifact Registry Reader role (roles/artifactregistry.reader) on the repository in Project B
AnswerB

Writer role allows pushing images and is the correct least-privilege role for this task.

Why this answer

To push containers, the service account needs the Artifact Registry Writer role (roles/artifactregistry.writer) on the repository in Project B. The Storage Object Admin role is too broad. The Artifact Registry Admin role is overly permissive.

The Viewer role only allows reading.

4
MCQmedium

An organization runs a stateful application on GKE that must not lose data during cluster upgrades or node repairs. The application uses persistent volumes with ReadWriteOnce access mode. The team wants to ensure pods are not evicted simultaneously. Which Kubernetes resource should they configure?

A.PodDisruptionBudget
B.ClusterAutoscaler
C.HorizontalPodAutoscaler
D.VerticalPodAutoscaler
AnswerA

PDB ensures a minimum number of pods are available during voluntary disruptions.

Why this answer

PodDisruptionBudget (PDB) specifies the minimum number of available pods that must remain up during voluntary disruptions, such as node upgrades.

5
MCQmedium

You need to create a private GKE cluster with Workload Identity enabled to allow pods to access Google Cloud APIs without static service account keys. What must you configure for the cluster?

A.Enable Binary Authorization on the cluster
B.Enable Workload Identity on the cluster and set the --workload-pool flag at cluster creation
C.Create a node pool with a service account that has the necessary IAM roles and assign that SA to pods
D.Use Cloud NAT to allow pods to communicate with Google APIs
AnswerB

Correct. Workload Identity is enabled via the --workload-pool flag on the cluster.

Why this answer

Workload Identity requires a GKE cluster with Workload Identity enabled and a Google-managed service account for the node pool or individual pods.

6
Multi-Selecteasy

A company wants to provide a private, low-latency connection between their on-premises data center and Google Cloud, with bandwidth up to 10 Gbps and a service level agreement (SLA) of 99.99% availability. Which TWO connectivity options should they consider?

Select 2 answers
A.Partner Interconnect
B.Dedicated Interconnect
C.Direct Peering
D.Cloud VPN
E.Carrier Peering
AnswersA, B

Partner Interconnect provides up to 10 Gbps through a supported provider with 99.99% SLA.

Why this answer

Dedicated Interconnect offers up to 100 Gbps per circuit and a 99.99% SLA. Partner Interconnect also offers 10 Gbps and 99.99% SLA through supported partners. VPN is over the internet, lower bandwidth and no 99.99% SLA.

Direct Peering is for Google services, no SLA. Carrier Peering is not a Google Cloud service.

7
MCQmedium

Your organization requires all container images deployed to GKE to be signed by an approved authority. Which service enforces that only signed images are allowed to run?

A.Binary Authorization
B.Cloud Asset Inventory
C.Artifact Registry
D.Container Analysis
AnswerA

Correct. Binary Authorization enforces image signing and attestation.

Why this answer

Binary Authorization enforces policies that require images to be signed by trusted authorities before they can be deployed on GKE.

8
Multi-Selecthard

A company wants to implement a CI/CD pipeline for a Java application that will be deployed to Cloud Run. They use Cloud Build and Artifact Registry. The pipeline must compile the Java code, run unit tests, build a container image, and deploy to Cloud Run. Which THREE steps are required in the cloudbuild.yaml? (Choose 3)

Select 3 answers
A.Step with image 'gcloud' and entrypoint: 'gcloud', args: ['container', 'clusters', 'get-credentials']
B.Step with image 'docker' and args: ['build', '-t', '...']
C.Step with image 'maven' and args: ['mvn', 'compile', 'test']
D.Step with image 'node' and entrypoint: 'npm', args: ['test']
E.Step with image 'gcloud' and entrypoint: 'gcloud', args: ['run', 'deploy', ...]
AnswersB, C, E

This builds the container image.

Why this answer

To compile Java, use a Maven or Gradle step. Build the image using docker build. Deploy to Cloud Run using gcloud run deploy.

9
MCQmedium

A team is deploying a microservice on Cloud Run that needs to access a Cloud SQL database securely. They want to avoid using public IPs and ensure traffic stays within Google's network. Which configuration should they use?

A.Configure Cloud SQL with a public IP and use Cloud SQL Proxy in the Cloud Run service
B.Enable Private Google Access on the VPC subnet
C.Use Serverless VPC Access and assign a private IP to the Cloud SQL instance
D.Create a VPC network peering between the Cloud Run tenant project and the Cloud SQL project
AnswerC

Serverless VPC Access connects Cloud Run to your VPC, and Cloud SQL private IP ensures traffic stays within Google's network.

Why this answer

Serverless VPC Access allows Cloud Run to connect to a VPC network via a VPC connector. Combined with Private Services Access, Cloud SQL can be configured with a private IP (within the VPC) and accessed without traversing the public internet. Cloud SQL Proxy is a sidecar pattern that can use public IP with SSL, but it does not keep traffic entirely within Google's network if the Cloud SQL instance uses a public IP.

Private Google Access is for on-premises or VM access to Google APIs, not for Cloud Run to Cloud SQL.

10
MCQhard

A financial services company requires that all audit logs be retained for 7 years in a cost-effective, immutable storage. They also need to run ad-hoc SQL queries on the logs. Which configuration should they use?

A.Create a log sink to BigQuery with a 7-year partition expiration and use BigQuery's SQL capabilities
B.Use Cloud Logging's default retention and set up a log-based metric to trigger a Cloud Function that copies logs to BigQuery
C.Export logs to Cloud Storage with a retention policy set to 7 years and use Cloud Storage SQL interface
D.Create two log sinks: one to BigQuery for querying, and one to Cloud Storage with object retention policy for immutable storage
AnswerD

Log sinks to BigQuery allow SQL queries; Cloud Storage with retention policy provides immutable, cost-effective long-term storage.

Why this answer

Logging can export logs to BigQuery for SQL querying, and BigQuery offers time-based partitioning and long-term retention. However, for immutable storage, Cloud Storage with retention policy is recommended. The best approach is to use a log sink to BigQuery for analysis, and another sink to Cloud Storage with a retention policy for long-term immutable storage.

Option D combines both sinks correctly.

11
MCQhard

A company has a Shared VPC with a service project hosting GKE clusters. The GKE nodes need to access Cloud SQL instances in the host project. The team wants to avoid public IP and use Private Service Access. They have configured a VPC peering between the host VPC and the service producer VPC for Cloud SQL. However, the GKE pods cannot reach the Cloud SQL instance. What is the most likely cause?

A.The Cloud SQL instance is not configured with a private IP
B.The service project needs a Private Service Connect endpoint to access the Cloud SQL instance
C.The service project is not authorized in the Cloud SQL instance
D.The firewall rules in the host VPC block egress from the service project
AnswerB

In a Shared VPC, the service project cannot directly reach managed services via VPC peering; PSC endpoints are required.

Why this answer

Private Service Connect (PSC) is required for service projects to reach services in the host project over VPC peering. Shared VPC service projects do not automatically have access to managed services via VPC peering; PSC endpoints must be created.

12
MCQhard

A company is migrating its on-premises MongoDB database to Google Cloud. They want a fully managed, highly available NoSQL database that is compatible with MongoDB drivers. Which Google Cloud service should they choose?

A.Cloud Firestore
B.MongoDB Atlas on Google Cloud Marketplace
C.Cloud Bigtable
D.Cloud SQL
AnswerB

MongoDB Atlas is a fully managed MongoDB-compatible service available via Google Cloud Marketplace.

Why this answer

MongoDB Atlas via Google Cloud Marketplace is a fully managed MongoDB service that runs on Google Cloud and is compatible with MongoDB drivers. Cloud Bigtable and Firestore are not MongoDB-compatible. Cloud SQL is relational.

13
Multi-Selectmedium

A company has a legacy application that runs on a single Compute Engine VM and expects to use a fixed IP address. They want to migrate the VM to a different region with minimal downtime. Which TWO actions should they take?

Select 2 answers
A.Use gcloud compute instances move command
B.Delete the original VM before creating the new one
C.Convert the VM to a managed instance group
D.Reserve a static external IP address in the target region
E.Create a snapshot of the boot disk and create a new VM from the snapshot in the target region
AnswersD, E

Reserving a static IP ensures the VM has a fixed IP after migration.

Why this answer

Snapshot the VM disk and create a new VM from the snapshot in the target region. Reserve a static external IP address in the target region to keep the IP fixed. Snapshots are regional, so you can create an instance in another region.

Deleting the original VM first would cause downtime. Converting to managed instance group is not necessary for a single VM.

14
MCQhard

A GKE cluster has a Horizontal Pod Autoscaler (HPA) configured for CPU utilization. The pods are not scaling up even though CPU usage is high. What could be the reason?

A.The cluster autoscaler is disabled
B.The HPA is configured with the wrong metric name
C.The node pool is out of capacity
D.The pods do not have resource requests defined
AnswerD

HPA requires CPU resource requests on pods to calculate utilization.

Why this answer

The HPA may not have permissions to read metrics or the metrics server might be unavailable. Also, the target CPU utilization might be set incorrectly. Another common issue is that the HPA is using the wrong metric or the pod resource requests are not set.

15
MCQmedium

An engineer needs to share a VPC network across multiple projects in an organization while maintaining centralized network administration. Which approach should they use?

A.Shared VPC
B.VPC peering between all projects
C.Private Google Access
D.Cloud VPN between projects
AnswerA

Shared VPC allows a host project to share networks with multiple service projects.

Why this answer

Shared VPC allows a host project to share its VPC network with service projects, enabling centralized network administration. VPC peering connects separate VPCs but does not allow centralized administration.

16
MCQmedium

An organization wants to ensure that all VMs in a project have the 'restricted-vm' tag to apply a firewall rule that allows only SSH from a bastion host. The VMs are created by multiple teams. Which approach ensures the tag is automatically applied to all new VMs?

A.Create a Cloud Function that listens to Compute Engine audit logs and adds the tag to new instances
B.Use a custom image that includes the tag in the instance metadata
C.Use an organization policy to require the tag
D.Configure OS Config with a software recipe to add the tag
AnswerA

This approach can tag instances automatically upon creation by monitoring the compute.instances.insert operation.

Why this answer

OS Config can enforce OS policies, but tagging is done via instance templates or organization policies. Using a custom image with the tag is not automatic. A pre-create Cloud Function can detect VM creation and add the tag.

Org policies cannot enforce tags directly.

17
MCQeasy

A DevOps team wants to automate the deployment of infrastructure on Google Cloud using a declarative configuration language. They need to support Python and Jinja templates for reusable modules. Which service should they use?

A.Config Connector
B.Terraform on Google Cloud
C.Cloud Deployment Manager
D.Cloud Build
AnswerC

Cloud Deployment Manager supports YAML, Python, and Jinja templates, fulfilling the requirement for declarative configuration with reusable modules.

Why this answer

Cloud Deployment Manager supports YAML, Python, and Jinja templates, making it the correct choice for declarative infrastructure as code. Terraform is also declarative but uses HCL, not Python/Jinja. Cloud Build is for CI/CD pipelines, not infrastructure provisioning.

Config Connector is for Kubernetes-style resource management, not Python/Jinja templates.

18
MCQmedium

A company wants to use Cloud Deploy to automate deployments to GKE. They need to configure an approval gate that requires manual approval before promoting a release to a production cluster. Where is this approval gate defined?

A.In the delivery pipeline YAML under the 'target' definition
B.In the Cloud Scheduler job
C.In the GKE cluster as a constraint
D.In the cloudbuild.yaml file
AnswerA

Each target can have an 'requireApproval' field.

Why this answer

In Cloud Deploy, approval gates are defined per target in the delivery pipeline configuration. The target resource specifies whether an approval is required.

19
MCQeasy

An organization wants to manage Google Cloud infrastructure as code using declarative configuration files. They need a solution that supports Python and Jinja templating languages. Which service should they choose?

A.Cloud Composer
B.Terraform on Google Cloud
C.Cloud Deployment Manager
D.Cloud Build
AnswerC

Correct. Deployment Manager natively supports YAML templates and Python/Jinja.

Why this answer

Cloud Deployment Manager supports YAML templates with optional Python or Jinja helpers, making it the correct choice for declarative infrastructure management with those languages.

20
MCQeasy

A developer wants to deploy a containerized web application on Google Cloud that can scale to zero when not in use and charges only for resources consumed during request processing. Which compute service should they choose?

A.Cloud Run
B.Google Kubernetes Engine (GKE)
C.App Engine Flexible Environment
D.Compute Engine instance group
AnswerA

Cloud Run is serverless and can scale to zero, charging only for resources used during request processing. It is ideal for intermittent containerized workloads.

Why this answer

Cloud Run is a serverless container platform that scales to zero when idle and charges per request, making it cost-effective for intermittent traffic. GKE requires at least one node to be running, so it cannot scale to zero. Compute Engine instances incur costs even when idle.

App Engine Flexible Environment also runs at least one instance.

21
MCQmedium

A Cloud Run service needs to connect to a Cloud SQL MySQL instance privately without using public IP. What must be configured?

A.Set up VPC Network Peering between Cloud Run and Cloud SQL
B.Enable Private Google Access on the VPC subnet
C.Use Cloud SQL Proxy as a sidecar container
D.Deploy a VPC connector and attach it to the Cloud Run service
AnswerD

The VPC connector enables Cloud Run to send traffic to internal IP addresses in the VPC, such as Cloud SQL private IP.

Why this answer

To privately connect Cloud Run to Cloud SQL, you need a Serverless VPC Access connector in the same VPC as the Cloud SQL instance, and then use the private IP of Cloud SQL. Private Google Access is for on-prem, not Cloud Run. Direct VPC is not available for Cloud Run.

22
MCQhard

A team is running a GKE cluster with a workload that has variable CPU and memory usage. They want to automatically adjust pod resource requests and limits based on historical usage to improve resource efficiency. Which feature should they use?

A.Vertical Pod Autoscaler (VPA)
B.PodDisruptionBudget (PDB)
C.Horizontal Pod Autoscaler (HPA)
D.Cluster Autoscaler
AnswerA

VPA adjusts CPU and memory requests/limits based on usage, improving resource efficiency.

Why this answer

Vertical Pod Autoscaler (VPA) automatically adjusts CPU and memory requests and limits of pods based on historical usage, making it ideal for right-sizing. Horizontal Pod Autoscaler (HPA) scales the number of pods based on metrics, but does not modify resource requests. Cluster Autoscaler adjusts the number of nodes.

PodDisruptionBudget controls pod disruptions during maintenance.

23
MCQeasy

Which GCP service provides distributed tracing to help analyze latency in microservices applications?

A.Cloud Profiler
B.Cloud Trace
C.Cloud Logging
D.Cloud Monitoring
AnswerB

Trace is a distributed tracing system that captures latency data.

Why this answer

Cloud Trace collects latency data from applications and provides near-real-time traces. Cloud Profiler provides continuous profiling. Cloud Monitoring provides metrics and dashboards.

Cloud Logging provides log management.

24
MCQeasy

An organization wants to manage DNS records for a domain they own (e.g., example.com) and use Google Cloud for authoritative DNS. They also need to resolve internal hostnames for resources within their VPC. Which Cloud DNS configuration should they use?

A.Create a single public managed zone and use DNS peering for internal resolution
B.Create a single private managed zone for both external and internal DNS resolution
C.Use Google Groups DNS to manage both public and private records
D.Create a public managed zone for example.com and a private managed zone for internal VPC resources
AnswerD

Public zone handles external DNS queries; private zone attached to the VPC handles internal resolution.

Why this answer

Cloud DNS public zones manage public DNS records for internet-facing domains. Cloud DNS private zones are used for internal DNS resolution within VPCs. The correct approach is to create a public zone for example.com and a private zone for internal hostnames attached to the VPC.

25
MCQeasy

An engineer needs to provision a GKE cluster with a node pool that uses preemptible VMs to reduce costs. Which gcloud command should they use?

A.gcloud container clusters update --preemptible
B.gcloud container clusters create --preemptible-nodes
C.gcloud compute instances create --preemptible
D.gcloud container node-pools create --preemptible
AnswerD

This correctly creates a node pool with preemptible VMs.

Why this answer

The --preemptible flag when creating a node pool makes all nodes in that pool preemptible. The other options either don't exist or are incorrect.

26
MCQmedium

A company runs a critical application on Compute Engine instances. They want to automatically patch the operating system on a weekly schedule to meet compliance requirements. Which Google Cloud service should they use?

A.Cloud Monitoring
B.Cloud Security Command Center
C.Cloud Build
D.OS Config
AnswerD

Correct. OS Config includes patch management for Compute Engine instances.

Why this answer

OS Config, part of VM Manager, provides patch management capabilities including scheduled patching and compliance reporting.

27
Multi-Selecthard

A security team wants to monitor and audit all changes to IAM policies in a Google Cloud organization. They need to set up real-time alerts when a new binding is added. Which THREE services should they combine to achieve this?

Select 3 answers
A.Cloud Scheduler
B.Cloud Pub/Sub
C.Cloud Functions
D.Cloud Audit Logs
E.Cloud Storage
AnswersB, C, D

Pub/Sub delivers log entries in real-time for processing.

Why this answer

Cloud Audit Logs record IAM changes. Cloud Pub/Sub can receive logs in near real-time. Cloud Functions can process Pub/Sub messages and trigger alerts (e.g., via email).

Cloud Storage is for storage, not real-time alerting. Cloud Scheduler is for cron jobs. Cloud Armor is for security policies at the network edge.

28
Multi-Selecteasy

A startup wants to store application secrets (e.g., API keys, database passwords) securely on Google Cloud. They need to support automatic rotation of secrets and fine-grained access control. Which TWO services should they use? (Choose 2.)

Select 2 answers
A.Cloud Storage with object versioning
B.Cloud Functions
C.Secret Manager
D.Cloud Identity and Access Management (IAM)
E.Cloud Key Management Service (Cloud KMS)
AnswersC, E

Secret Manager is the dedicated service for storing and managing secrets with rotation and versioning.

Why this answer

Secret Manager is the primary service for storing secrets, with support for versioning, automatic rotation, and IAM. Cloud KMS can be used to encrypt secrets stored in Secret Manager, providing an additional layer of security. Cloud Key Management Service (KMS) is used for managing encryption keys, but Secret Manager already encrypts secrets at rest using Google-managed keys by default; using CMEK via Cloud KMS adds customer-managed key control.

Cloud Storage is not designed for secrets. IAM alone does not provide secret storage. Cloud Functions can access secrets but is not a storage service.

29
MCQeasy

An organization is using Cloud Build to build container images and push them to Artifact Registry. Which step in the cloudbuild.yaml file is necessary to tag and push the image?

A.A step that runs 'docker push' with the Artifact Registry URL
B.A step that runs 'gcloud container images push'
C.A step that runs 'gsutil cp' to upload the image
D.A step that runs 'kubectl apply'
AnswerA

This step pushes the image to Artifact Registry.

Why this answer

The 'docker push' step with the destination in Artifact Registry is required to push the built image to a registry.

30
Multi-Selecthard

You are designing a multi-region deployment for a critical application on GKE. The application must withstand a regional outage and automatically redirect traffic to the healthy region. Which THREE components must be configured? (Choose 3)

Select 3 answers
A.Cloud Spanner
B.Global HTTP(S) Load Balancer
C.Regional Cloud SQL
D.Multi-cluster Ingress
E.Cloud NAT
AnswersA, B, D

Provides multi-region strongly consistent database.

Why this answer

Multi-region GKE with global load balancing, multi-cluster ingress, and a multi-region database like Spanner are required.

31
MCQmedium

A DevOps team uses Cloud Build to deploy Docker images to GKE. They want to ensure that only images that have passed a vulnerability scan and been signed by a trusted authority can be deployed. Which service should they integrate with Cloud Build and GKE?

A.Artifact Analysis
B.Cloud Security Scanner
C.Cloud Key Management Service
D.Binary Authorization
AnswerD

Binary Authorization enforces image signing and attestation policies.

Why this answer

Binary Authorization enforces policies that require images to be signed by trusted authorities and verified before deployment on GKE.

32
MCQhard

A company runs a batch processing workload on Compute Engine instances that read from Cloud Storage and write results to BigQuery. The instances are launched via a managed instance group (MIG) and each job takes about 30 minutes. The company wants to reduce costs without sacrificing performance. What is the most cost-effective way to provision these instances?

A.Use sole-tenant nodes
B.Use standard (on-demand) VMs
C.Use preemptible VMs
D.Use committed use discounts (CUDs) with 1-year commitment
AnswerC

Preemptible VMs provide significant cost savings for fault-tolerant batch jobs.

Why this answer

Preemptible VMs are up to 80% cheaper than regular VMs and are ideal for batch workloads that can tolerate interruptions. The job can be designed to checkpoint progress and restart on a new VM if preempted. Regular VMs are more expensive, sole-tenant nodes are for isolation requirements, and CUDs offer discounts for committed use but may not be as cost-effective for short-lived batch jobs.

33
MCQeasy

An organization requires that only container images signed by a trusted authority can be deployed on Google Kubernetes Engine (GKE). Which Google Cloud service should they implement?

A.Artifact Registry
B.Binary Authorization
C.Secret Manager
D.Cloud Deploy
AnswerB

Binary Authorization ensures only signed images are deployed by integrating with attestors and admission controllers.

Why this answer

Binary Authorization enforces deploy-time policies based on attestations from trusted authorities. It ensures only signed images are deployed to GKE. Artifact Registry stores images, Secret Manager manages secrets, and Cloud Deploy handles deployments but does not enforce image signing.

34
MCQmedium

A team is using GKE with cluster autoscaling enabled. They notice that some nodes are underutilized but the cluster autoscaler does not remove them. What could be the reason?

A.The node is in a different zone
B.The node has running pods that are part of a DaemonSet
C.The cluster autoscaler is not configured to scale down
D.The node has pods with restrictive PodDisruptionBudgets
AnswerD

If PDB prevents pod eviction, the node cannot be removed.

Why this answer

The cluster autoscaler does not remove a node if there are pods that cannot be rescheduled elsewhere. This can happen due to PodDisruptionBudgets, local storage, or node-specific constraints.

35
MCQmedium

A DevOps team wants to manage Google Cloud resources declaratively using Infrastructure as Code. They need to version control their configuration and automate deployments. Which two tools are natively supported by Google Cloud for this purpose?

A.Cloud Shell and gcloud CLI
B.AWS CloudFormation and Terraform
C.Ansible and Puppet
D.Cloud Deployment Manager and Terraform
AnswerD

Both are natively supported IaC tools on Google Cloud.

Why this answer

Cloud Deployment Manager uses YAML, Python, or Jinja templates, and Terraform is a popular IaC tool with a native Google Cloud provider. Both allow declarative management and version control.

36
MCQeasy

Which Google Cloud service allows you to create alerting policies based on log entries?

A.Cloud Logging
B.Cloud Audit Logs
C.Error Reporting
D.Cloud Monitoring
AnswerA

Cloud Logging allows creation of log-based metrics that can trigger alerts.

Why this answer

Cloud Logging supports log-based metrics, which can be used to create alerting policies in Cloud Monitoring.

37
MCQeasy

A company wants to automate the creation and management of Google Cloud resources using an infrastructure-as-code tool that supports configuration drift detection and is Google Cloud-native. Which tool should they use?

A.Cloud Deployment Manager
B.Terraform
C.Cloud SDK
D.Cloud Build
AnswerA

Cloud Deployment Manager is the native IaC tool for Google Cloud.

Why this answer

Cloud Deployment Manager is Google Cloud's native infrastructure-as-code service that supports YAML, Python, and Jinja templates and can detect configuration drift.

38
MCQhard

An engineer is troubleshooting a Cloud Build trigger that fails with the error 'PERMISSION_DENIED: Cloud Build service account does not have permission to access Artifact Registry'. The build needs to push a Docker image to Artifact Registry. What is the correct IAM role to assign to the Cloud Build service account?

A.roles/artifactregistry.writer
B.roles/artifactregistry.viewer
C.roles/editor
D.roles/storage.objectAdmin
AnswerA

This role allows uploading artifacts to Artifact Registry, which includes pushing Docker images.

Why this answer

The Cloud Build service account (usually project-number@cloudbuild.gserviceaccount.com) needs the Artifact Registry Writer role to push images. Editor role is too broad; Viewer is read-only; Storage Object Admin is for Cloud Storage, not Artifact Registry.

39
MCQmedium

An organization has multiple GCP projects managed by a central operations team. They want to define a common VPC configuration in a host project and allow service projects to use it. Which networking feature should they use?

A.Shared VPC
B.Private Service Connect
C.Cloud VPN
D.VPC peering
AnswerA

Shared VPC enables a host project to share VPC networks with service projects.

Why this answer

Shared VPC allows a host project to contain shared VPC networks that service projects can use. VPC peering is for connecting separate networks. Private Service Connect is for accessing managed services.

Cloud VPN is for on-premises connectivity.

40
Multi-Selectmedium

A team is deploying a stateful application on GKE. They want to ensure that the application's pods are distributed across different zones for high availability and that during cluster upgrades, at least one pod remains available. Which THREE features should they configure?

Select 3 answers
A.Pod topology spread constraints
B.StatefulSet for the application
C.Cluster autoscaler
D.Horizontal Pod Autoscaler
E.PodDisruptionBudget
AnswersA, B, E

This spreads pods across zones or other topology domains.

Why this answer

Pod topology spread constraints distribute pods across zones. PodDisruptionBudget ensures minimum available pods during voluntary disruptions. Cluster autoscaler is not directly for availability, but for scaling nodes.

StatefulSet is for stateful workloads but doesn't guarantee zone distribution without constraints.

41
MCQeasy

A developer needs to store a database password securely and access it from a Cloud Run service. Which Google Cloud service should they use?

A.Cloud Storage
B.Firestore
C.Secret Manager
D.Cloud KMS
AnswerC

Secret Manager is designed for storing secrets with versioning and IAM.

Why this answer

Secret Manager securely stores secrets like passwords, API keys, and certificates. It integrates with Cloud Run via volume mounts or environment variables.

42
MCQeasy

A company needs to store secrets such as API keys and database passwords securely and access them from Compute Engine instances. Which service provides secret storage with built-in IAM integration and automatic rotation?

A.Secret Manager
B.Cloud HSM
C.Cloud Storage
D.Cloud KMS
AnswerA

Correct. Secret Manager is purpose-built for secrets.

Why this answer

Secret Manager is the correct service for storing secrets with IAM and versioning. It also supports rotation via Cloud Functions or Pub/Sub.

43
MCQmedium

A team is using Cloud Build to deploy a microservice to Cloud Run. They want to ensure that only containers built from a specific trusted branch in their source repository are deployed to production. Which Cloud Build feature should they use?

A.Binary Authorization attestors
B.Cloud Build trigger branch filtering
C.Cloud Deploy delivery pipeline approvals
D.Artifact Registry IAM permissions
AnswerB

Cloud Build triggers can be scoped to specific branches using regex, ensuring only trusted branches trigger builds.

Why this answer

Cloud Build triggers can be configured to respond only to specific branches (e.g., 'main' or 'release/*'). By setting the trigger's included files filter and branch regex, they can restrict builds to that branch. Artifact Registry controls access to container images, but does not restrict deployment by branch.

Cloud Deploy is a separate service for progressive delivery. Binary Authorization enforces policies at deployment time but does not filter by branch.

44
Multi-Selectmedium

A company wants to monitor the performance of their microservices deployed on Cloud Run. They need to capture request latencies and error rates, and also trace requests across services. Which TWO services should they use?

Select 2 answers
A.Cloud Trace
B.Error Reporting
C.Cloud Profiler
D.Cloud Logging
E.Cloud Monitoring
AnswersA, E

Cloud Trace provides distributed tracing to capture request latencies across services.

Why this answer

Cloud Monitoring collects metrics like latency and error rates and can create dashboards and alerts. Cloud Trace collects latency data across services for distributed tracing.

45
MCQmedium

A developer wants to deploy a Cloud Function that is triggered whenever a new object is created in a Cloud Storage bucket. Which trigger type should they choose?

A.Firestore trigger
B.Cloud Storage trigger
C.Pub/Sub trigger
D.HTTP trigger
AnswerB

Cloud Storage triggers allow functions to respond to object lifecycle events like finalize/create.

Why this answer

Cloud Functions can be triggered by Cloud Storage events such as google.storage.object.finalize (object creation). HTTP triggers are for HTTP requests. Pub/Sub triggers for messages.

Firestore triggers for document changes.

46
Multi-Selectmedium

Which TWO services can be used to create a CI/CD pipeline for a containerized application on Google Cloud? (Choose 2)

Select 2 answers
A.Cloud Deploy
B.Cloud Functions
C.Cloud Build
D.Cloud Scheduler
E.Cloud Run
AnswersA, C

CD component.

Why this answer

Cloud Build builds and tests, and Cloud Deploy promotes releases. Both are essential for CI/CD.

47
MCQeasy

A development team wants to automate the process of building container images from their GitHub repository and storing them in Artifact Registry. Which Google Cloud service should they use to create a build trigger that runs on every push to the main branch?

A.Container Registry
B.Cloud Build
C.Artifact Registry
D.Cloud Deploy
AnswerB

Correct. Build triggers in Cloud Build can watch a repository branch and run a build automatically.

Why this answer

Cloud Build is the CI/CD service that can be configured with build triggers to automatically build images on source code changes and push them to Artifact Registry.

48
MCQeasy

A company wants to automatically apply security patches to Compute Engine instances running Windows Server. They need a solution that can schedule patch installations and report compliance. Which service should they use?

A.OS Config
B.Cloud Monitoring
C.Cloud Deploy
D.Cloud Build
AnswerA

OS Config provides patch management for VMs.

Why this answer

OS Config’s patch management feature allows scheduling and monitoring of OS patches across VM instances.

49
Multi-Selecthard

A finance company needs to ensure that all compute instances in their VPC can only communicate with Google APIs (e.g., Cloud Storage) over internal IPs. Additionally, instances without external IPs should be able to access the internet for updates. Which TWO configurations should they implement?

Select 2 answers
A.Configure Cloud NAT
B.Create a firewall rule allowing egress to 0.0.0.0/0
C.Enable Private Google Access on the subnet
D.Assign external IPs to all instances
E.Use VPC peering with Google's public network
AnswersA, C

Cloud NAT provides outbound internet access to instances without external IPs.

Why this answer

Private Google Access allows VMs to use internal IPs to access Google APIs. Cloud NAT enables outbound internet access for instances without external IPs.

50
MCQmedium

A team wants to deploy a microservice on Cloud Run that needs to access a Cloud Memorystore for Redis instance in the same region. The Redis instance is in a VPC network. Which configuration is required for Cloud Run to reach the Redis instance?

A.Configure a Cloud NAT gateway
B.Create a Serverless VPC Access connector and configure Cloud Run to use it
C.Use Private Google Access
D.Deploy Cloud Run within a VPC
AnswerB

The connector enables Cloud Run to send traffic to the VPC.

Why this answer

Cloud Run services can connect to a VPC using a Serverless VPC Access connector, which provides private network access.

51
Multi-Selectmedium

You need to collect and analyze logs from multiple projects in a centralized BigQuery dataset for auditing. Which THREE steps are required? (Choose 3)

Select 3 answers
A.Enable VPC Flow Logs in all projects
B.Use an aggregated sink at the organization or folder level to collect logs from all projects
C.Grant the 'bigquery.dataEditor' role to the Cloud Logging service account
D.Create a log exclusion filter to remove sensitive data
E.Create a log sink in each project that exports to a shared BigQuery dataset
AnswersB, C, E

Simplifies management.

Why this answer

Create a log sink to BigQuery, set up aggregated sink across projects, and grant necessary IAM roles.

52
MCQhard

An organization runs a Cloud Run service that processes incoming HTTP requests. Under heavy load, some requests timeout. The team wants to reduce cold starts and ensure consistent performance. They set min instances to 1, but the issue persists. Which additional configuration should they change?

A.Reduce concurrency
B.Set CPU always allocated to true
C.Increase max instances
D.Increase request timeout
AnswerB

This ensures the instance always has CPU, reducing latency for requests that hit an idle instance.

Why this answer

Increasing CPU allocation ensures that even idle instances have CPU, reducing latency for incoming requests.

53
MCQmedium

A Cloud Run service needs to access resources in a VPC network (e.g., a Cloud SQL instance). The service should be able to send requests to the VPC and receive responses. What is the correct configuration?

A.Create a VPC connector and configure the Cloud Run service to use it for egress
B.Place the Cloud Run service in a VPC subnet
C.Use Cloud NAT to allow Cloud Run to access the VPC
D.Use VPC peering between Cloud Run and the VPC
AnswerA

Correct. A VPC connector routes egress traffic from Cloud Run to the VPC.

Why this answer

Cloud Run can use a VPC connector (Serverless VPC Access) to send requests to a VPC. It does not allow inbound traffic from the VPC without additional setup.

54
MCQhard

A company wants to deploy a microservice on Cloud Run that requires high throughput and low latency. The service processes requests that can spike unpredictably. The team wants to minimize cold starts and ensure availability during traffic bursts. Which combination of Cloud Run settings should they configure?

A.min-instances = 1, max-instances = 1, concurrency = 80
B.min-instances = 0, max-instances = 100, concurrency = 1
C.min-instances = 0, max-instances = 10, concurrency = 80
D.min-instances = 1, max-instances = 100, concurrency = 80
AnswerD

This combination ensures warm instances, allows scaling to handle bursts, and maximizes concurrent requests.

Why this answer

Setting min instances to 1 ensures at least one instance is always warm, eliminating cold starts. Max instances should be high to handle bursts. Concurrency should be set to the maximum the container can handle to maximize throughput.

55
Multi-Selecteasy

A company wants to store application secrets such as API keys and database passwords securely and audit access. They also need to automatically rotate secrets periodically. Which TWO Google Cloud services should they use? (Choose 2)

Select 2 answers
A.Cloud Deployment Manager
B.Cloud Scheduler
C.Cloud Storage
D.Cloud Key Management Service
E.Secret Manager
AnswersB, E

Cloud Scheduler can be used to trigger periodic rotation of secrets (e.g., via Cloud Functions).

Why this answer

Secret Manager stores secrets with versioning and IAM control, and Cloud Scheduler can trigger rotations.

56
Multi-Selectmedium

An organization wants to monitor and alert on custom application metrics from a GKE cluster. They also need to view logs in real-time and create metrics from log content. Which two GCP services should they use? (Choose two.)

Select 2 answers
A.Error Reporting
B.Cloud Monitoring
C.Cloud Profiler
D.Cloud Trace
E.Cloud Logging
AnswersB, E

Monitoring can collect custom metrics via the Monitoring API and set up alerting policies.

Why this answer

Cloud Monitoring collects metrics and provides alerting. Cloud Logging collects logs and supports log-based metrics. Cloud Profiler is for profiling.

Cloud Trace is for tracing. Error Reporting is for error grouping.

57
Multi-Selectmedium

A company is migrating a legacy application that uses a file server to GCP. The application requires a shared file system that supports the NFS protocol and can be mounted by multiple Compute Engine instances. The team also needs to use Cloud NAT to allow the instances to download updates. Which TWO services should they use? (Choose 2)

Select 2 answers
A.Cloud NAT
B.Cloud VPN
C.Cloud Storage Fuse
D.Cloud Filestore
E.Private Google Access
AnswersA, D

Cloud NAT enables outbound internet access for private instances.

Why this answer

Filestore provides NFS file shares, and Cloud NAT allows instances without public IPs to access the internet for updates.

58
MCQmedium

A company has a Cloud Run service that processes high-throughput requests. They want to reduce latency by keeping a baseline of warm instances always ready to handle traffic. Which Cloud Run configuration parameters should they adjust?

A.Set min-instances to 0 and max-instances to 100
B.Set max-instances to a high value and concurrency to 1
C.Set min-instances to 10 and CPU to always-on
D.Set max-instances to 0 (unlimited) and concurrency to 80
AnswerC

Min-instances ensures 10 warm instances are always ready, and CPU always-on reduces latency by keeping CPU allocated even when not serving requests.

Why this answer

Setting min-instances to a value greater than 0 ensures that Cloud Run keeps at least that many instances warm, ready to serve requests without cold start latency. Max-instances sets an upper limit. Concurrency controls how many requests each instance can handle.

CPU allocation can be set to always-on to reduce latency, but that is a separate setting.

59
MCQmedium

A data science team wants to run training jobs on a GKE cluster. The jobs are resource-intensive and can tolerate interruptions. To reduce costs, the team wants to use preemptible VMs for the node pool. Which additional step should they take to ensure training jobs are not lost when nodes are preempted?

A.Use a PodDisruptionBudget
B.Set up a Cloud Scheduler job to recreate nodes
C.Enable cluster autoscaler on the node pool
D.Configure a Vertical Pod Autoscaler
AnswerC

Cluster autoscaler will automatically add replacement nodes when preemptible VMs are terminated.

Why this answer

A cluster autoscaler with a node pool of preemptible VMs will replace preempted nodes. For job resilience, the application should be designed to handle interruptions, but at the infrastructure level, enabling cluster autoscaler ensures new nodes are added.

60
MCQhard

A company wants to enforce that only container images built and signed by their CI/CD pipeline can be deployed in their GKE cluster. Which Google Cloud service should they use?

A.Artifact Analysis
B.Binary Authorization
C.Cloud Audit Logs
D.Cloud Security Command Center
AnswerB

Binary Authorization enforces deployment policies based on image signatures.

Why this answer

Binary Authorization enforces that only trusted images (signed by authorities) are deployed. It integrates with GKE and Cloud Build to verify signatures.

61
Multi-Selectmedium

An organization wants to ensure that all Compute Engine instances in a project are patched with the latest security updates. They also want to enforce a custom configuration (e.g., disable root SSH login) across all instances. Which TWO Google Cloud services should they use together?

Select 2 answers
A.Cloud Monitoring
B.OS Config patch management
C.Cloud Deployment Manager
D.OS Config OS policies
E.Cloud Asset Inventory
AnswersB, D

Patch management automates OS patching across instances.

Why this answer

OS Config's patch management handles patching, and OS policies enforce configurations like disabling root login. Cloud Monitoring monitors but does not patch; Cloud Asset Inventory discovers resources; Deployment Manager is for infrastructure-as-code, not ongoing configuration.

62
MCQeasy

An engineer wants to store a database password securely and allow a Cloud Run service to access it. Which GCP service should they use?

A.Secret Manager
B.Cloud Storage
C.Cloud Key Management Service (KMS)
D.Firestore
AnswerA

Secret Manager securely stores secrets and provides fine-grained access control.

Why this answer

Secret Manager is designed for storing secrets like passwords, API keys, and certificates. It integrates with Cloud Run via volume mounts or environment variables. Cloud KMS is for encryption keys.

Cloud Storage is for objects. Firestore is a database.

63
MCQmedium

A company uses Cloud Build to deploy a Java application to Artifact Registry. They want to automatically trigger a build only when changes are pushed to the 'main' branch in their Cloud Source Repository. Which configuration should they use?

A.Configure a Cloud Function that listens for Pub/Sub messages from Cloud Source Repo and calls Cloud Build API
B.Create a Cloud Build trigger with an included branch filter set to '^main$'
C.Create a Cloud Scheduler job that runs a Pub/Sub push to Cloud Build every hour
D.Use a Cloud Build build step that checks the branch name and aborts if not main
AnswerB

The branch filter '^main$' ensures only pushes to the main branch trigger a build.

Why this answer

Cloud Build triggers can be configured with a branch filter (regex) to trigger builds only on specific branches. The trigger is set to watch the repository and fire on push events matching the branch pattern. Using a Cloud Scheduler with Pub/Sub is an alternative for scheduled builds, but not for push-based triggers.

64
Multi-Selecthard

A data analytics team wants to build a pipeline that processes files from a Cloud Storage bucket, transforms the data, and loads it into BigQuery. They want to trigger the pipeline only when new files arrive. Which THREE services can be used together to achieve this? (Choose 3.)

Select 3 answers
A.Cloud Scheduler
B.Cloud Storage triggers for Cloud Functions
C.Cloud Build triggers
D.Cloud Workflows
E.BigQuery Data Transfer Service
AnswersB, D, E

Cloud Functions can be triggered on object creation in Cloud Storage.

Why this answer

Cloud Functions can be triggered by Cloud Storage events (e.g., object finalize). Cloud Workflows can orchestrate multiple steps. Cloud Build is for CI/CD, not event-driven data processing.

Cloud Scheduler is for scheduled jobs, not event triggers. Cloud Run can be invoked by Cloud Functions or eventarc, but the direct trigger from storage is via Cloud Functions or Eventarc.

65
MCQeasy

Which GCP service should be used to automatically scale a GKE cluster's number of nodes based on pending pods?

A.Vertical Pod Autoscaler (VPA)
B.Cluster Autoscaler
C.Node Auto-Provisioning
D.Horizontal Pod Autoscaler (HPA)
AnswerB

Cluster Autoscaler automatically adds or removes nodes in a node pool based on pod scheduling needs.

Why this answer

The cluster autoscaler adjusts the number of nodes in node pools based on pod resource requests. HPA scales pods, not nodes. VPA adjusts pod resource requests.

Node auto-provisioning is part of cluster autoscaler but the described functionality is cluster autoscaler.

66
MCQhard

You have a Cloud Deploy delivery pipeline with an approval gate. You want to automatically roll back a release if the rollout fails during the deploy step. How should you configure the pipeline?

A.Set an automatic rollback policy in the delivery pipeline definition
B.Use a Cloud Build post-deploy hook to check the rollout status and roll back if needed
C.Configure the approval gate to reject the deployment if it fails
D.Enable the 'rollback on failure' flag in the pipeline
AnswerB

You can use Cloud Build to monitor the rollout and trigger a rollback via gcloud commands.

Why this answer

Cloud Deploy does not automatically roll back on failure. You can set up a Cloud Build trigger or a Cloud Function to watch rollout status and perform a rollback, but it is not built-in. The question tests understanding of Cloud Deploy's capabilities.

67
MCQmedium

You want to monitor the latency of an application running on Compute Engine and create an alert if the 99th percentile latency exceeds 500ms for more than 5 minutes. Which approach should you use?

A.Use Cloud Trace to analyze latency and set a trace-based alert
B.Use Error Reporting to capture latency errors
C.Create a Metric Threshold alert using the 'Latency' metric with a percentile alignment
D.Create a log-based metric from application logs and set an alert on that metric
AnswerC

Correct. Cloud Monitoring supports distribution metrics with percentile alignments.

Why this answer

Cloud Monitoring can create alerting policies based on distribution metrics (like latency) using percentile aggregations. You can define a metric threshold with a rolling window.

68
MCQmedium

A company runs a stateful application on GKE that requires persistent storage. They want to ensure that during cluster upgrades, pods are not disrupted and storage is preserved. Which configuration should they use?

A.Enable Cluster Autoscaler on the node pool
B.Use a Deployment with a HorizontalPodAutoscaler
C.Use a StatefulSet with a PodDisruptionBudget
D.Use PersistentVolumeClaims with ReadWriteMany access mode
AnswerC

StatefulSets provide stable persistent storage for each pod, and PodDisruptionBudgets prevent voluntary disruptions during cluster upgrades.

Why this answer

PodDisruptionBudgets (PDBs) ensure that a minimum number of pods remain available during voluntary disruptions like cluster upgrades. PersistentVolumeClaims with ReadWriteOnce access mode allow pods to persist data. Combining PDBs with StatefulSets provides ordered, graceful deployment and scaling while preserving storage.

The cluster autoscaler only adjusts node count, not pod disruptions. HorizontalPodAutoscaler scales pods based on metrics but does not protect against disruptions.

69
MCQeasy

A developer is writing a Cloud Function that processes files uploaded to a Cloud Storage bucket. Which trigger should they use?

A.HTTP trigger
B.Firestore trigger
C.Cloud Storage trigger
D.Pub/Sub trigger
AnswerC

A Cloud Storage trigger fires on object changes.

Why this answer

Cloud Functions can be triggered by Cloud Storage events such as object finalize, delete, etc.

70
Multi-Selecthard

A company uses Terraform to manage infrastructure. They want to store the Terraform state file remotely and enable state locking to prevent concurrent modifications. Which three Google Cloud services or features should they use? (Choose three.)

Select 3 answers
A.Object versioning on the state bucket
B.Cloud Storage
C.Cloud NAT
D.Cloud Shell
E.Cloud KMS
AnswersA, B, E

Versioning enables state history and helps prevent conflicts through generation locking.

Why this answer

Cloud Storage is used as a backend for Terraform state. Object versioning provides history and locking via the storage object's generation number. Cloud KMS can encrypt the state file.

Cloud NAT is for outbound connectivity. Cloud Shell is not required for state management. Secret Manager is for secrets, not state.

71
Multi-Selectmedium

A company is deploying a critical application on GKE and wants to ensure high availability during node upgrades and failures. Which TWO configurations should they implement? (Choose 2.)

Select 2 answers
A.Enable Workload Identity for the service account
B.Configure a PodDisruptionBudget for the deployment
C.Create a multi-zonal node pool to spread nodes across multiple zones
D.Use a HorizontalPodAutoscaler with high target utilization
E.Enable Cluster Autoscaler on the node pool
AnswersB, C

PDB ensures that voluntary disruptions (e.g., upgrades) do not bring all pods down.

Why this answer

PodDisruptionBudgets (PDBs) ensure that a minimum number of pods remain available during voluntary disruptions like node upgrades. Multi-zonal node pools distribute pods across zones, protecting against zone failures. Cluster Autoscaler adds nodes when needed but does not directly ensure availability.

HPA scales pods but does not handle disruptions. Workload Identity is for authentication, not availability.

72
MCQeasy

What is the purpose of a Pod Disruption Budget (PDB) in GKE?

A.To automatically scale pods based on CPU usage
B.To distribute pods across different zones
C.To ensure a minimum number of pods are always available during voluntary disruptions
D.To prevent any pod from being terminated
AnswerC

PDBs define the minimum available pods, ensuring high availability.

Why this answer

A PDB limits the number of pods of a replicated application that can be down simultaneously from voluntary disruptions (e.g., node upgrades, cluster autoscaler evictions).

73
MCQmedium

A team uses Cloud Functions triggered by Cloud Storage events to process uploaded images. They want to ensure that only HTTP-triggered functions can be invoked from outside the project. Which configuration should they apply?

A.Add a VPC firewall rule to allow only internal traffic
B.Set --ingress-settings=internal-only on the HTTP function
C.Remove the Cloud Storage trigger function's trigger
D.Set --ingress-settings=all on the HTTP function
AnswerB

This restricts invocation to within the project.

Why this answer

For Cloud Functions (1st gen), setting --ingress-settings=internal-only restricts invocation to within the project. For Cloud Functions (2nd gen), using an ingress setting of 'all' allows external invocation; using 'internal-only' blocks external calls.

74
MCQhard

A security team wants to enforce that only container images signed by their internal CI/CD pipeline can run on GKE clusters. They also need to ensure that unsigned images are rejected at admission time. Which combination of services and configurations should they use?

A.GKE PodSecurityPolicy with allowed registries
B.Binary Authorization with Cloud KMS for signing
C.Cloud Build with Container Analysis
D.Artifact Registry vulnerability scanning and IAM roles
AnswerB

Binary Authorization enforces policy that only signed images can run. Cloud KMS provides the cryptographic keys for signing.

Why this answer

Binary Authorization enforces policy by requiring images to be signed by trusted signers (e.g., using Cloud KMS). It integrates with GKE admission control to block unsigned images. Cloud KMS creates and manages signing keys.

Artifact Registry stores signed images but does not enforce policy. Cloud Build can be used to sign images during build, but the enforcement mechanism is Binary Authorization.

75
MCQmedium

A cloud architect is designing a CI/CD pipeline for a microservices application. Each service is deployed to Cloud Run. They want to use Cloud Build to automate building and deploying services only when changes occur in their respective directories. Which Cloud Build feature should they configure?

A.Build steps in cloudbuild.yaml
B.Build triggers with included files filter
C.Cloud Build's 'includedFiles' option in the build configuration
D.Artifact Registry triggers
AnswerB

Correct: Cloud Build triggers can filter by file paths to trigger builds only on changes to specific directories.

Why this answer

Cloud Build triggers can be configured with regular expressions to match changed files in specific directories, so builds are only started for relevant changes. Build steps define actions but not triggers; cloudbuild.yaml is the build configuration file; Artifact Registry is a storage service.

Page 1 of 2 · 87 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Pca Managing Provisioning questions.

CCNA Pca Managing Provisioning Questions — Page 1 of 2 | Courseiva