Google Professional Cloud Developer (PCD) — Questions 676750

980 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQhard

A developer is integrating an App Engine standard environment app with Cloud Storage. The app needs to read objects from a bucket that is in a different project. The developer has granted the App Engine service account the Storage Object Viewer role on the bucket. However, the app still gets a 403 error when trying to read objects. What is the most likely cause?

A.The service account needs to be downloaded as a JSON key and added to the app configuration.
B.The bucket has uniform bucket-level access disabled, so ACLs may override IAM permissions.
C.The bucket is in a VPC Service Controls perimeter that blocks access from the App Engine service account.
D.The service account is from the app's project, not the bucket's project, and the bucket's IAM policy may not include the service account.
AnswerD

Cross-project IAM requires adding the service account from the source project to the bucket's IAM policy in the destination project.

Why this answer

Option A is correct because cross-project access requires the service account to be granted access at the bucket level in the source project, but the App Engine service account is in the same project as the app; the bucket is in another project, so the role must be assigned in the bucket's project. The error might persist if the bucket's IAM policy doesn't include the service account. Option B is wrong as no need for service account key.

Option C is wrong because VPC-SC could block, but that would be a different error. Option D is wrong because public access disabled is fine for explicit IAM.

677
MCQmedium

A company wants to implement polyglot persistence: an RDBMS for transactions, a NoSQL database for session storage, and a data warehouse for analytics. Which combination of Google Cloud databases best suits this architecture?

A.Cloud Spanner (transactions), Firestore (session storage), BigQuery (analytics)
B.Cloud SQL (transactions), Firestore (session storage), Bigtable (analytics)
C.Firestore (transactions), Memorystore (session storage), BigQuery (analytics)
D.Cloud SQL (transactions), Bigtable (session storage), BigQuery (analytics)
AnswerA

Spanner provides ACID transactions at global scale, Firestore is great for session data, BigQuery for analytics.

Why this answer

Cloud Spanner provides ACID transactions with global consistency and horizontal scalability, making it ideal for transactional workloads. Firestore is a NoSQL document database optimized for real-time updates and high-read/write throughput, perfect for session storage. BigQuery is a serverless data warehouse designed for analytical queries on large datasets, fitting the analytics requirement.

Exam trap

Cisco often tests the misconception that Bigtable can serve as a data warehouse for analytics, but Bigtable is an operational database for low-latency access, not a SQL-based analytical warehouse like BigQuery.

How to eliminate wrong answers

Option B is wrong because Bigtable is a wide-column NoSQL database optimized for time-series and high-throughput operational workloads, not for analytics; it lacks SQL-based analytical querying and is not a data warehouse. Option C is wrong because Firestore is not designed for complex ACID transactions across multiple entities; it is a NoSQL database with limited transactional support, and Memorystore (Redis) is a cache, not a session storage database with persistence guarantees. Option D is wrong because Bigtable is not suitable for session storage; it is designed for large-scale analytical and operational workloads, not for low-latency, high-frequency session reads/writes with eventual consistency.

678
Multi-Selecthard

A developer wants to ensure their Cloud Function is reliable. Which three testing practices should they follow? (Choose three.)

Select 3 answers
A.Write unit tests that mock external services
B.Use the Cloud Functions Framework to run the function locally
C.Write integration tests that use the Cloud Functions Emulator or a test project
D.Deploy the function to production for integration testing
E.Perform load testing using a Cloud Scheduler job that invokes the function frequently
AnswersA, B, C

Unit tests verify logic in isolation, increasing confidence in code correctness.

Why this answer

Option A is correct because unit tests should mock external services (like databases or APIs) to isolate the function's logic and avoid dependencies on live infrastructure. This ensures tests are fast, deterministic, and do not incur costs or side effects from actual service calls.

Exam trap

The PCD exam often tests the distinction between deployment strategies and testing practices, where candidates mistakenly treat production deployment or scheduler-based invocation as valid testing methods instead of using isolated, controlled environments.

679
MCQmedium

A company is migrating an on-premises MySQL OLTP application to Cloud SQL. The application requires 48 vCPU, 312 GB RAM, and 30 TB of storage. Which Cloud SQL edition and tier should they choose?

A.Cloud SQL Enterprise Plus with db-perf-optimized-48-300
B.Cloud SQL Enterprise with db-custom-48-307200
C.Cloud SQL Enterprise with db-custom-32-204800
D.Cloud SQL Enterprise Plus with db-perf-optimized-64-400
AnswerB

db-custom-48-307200 provides 48 vCPU and 307200 MB (300 GB) RAM, which is close to 312 GB. Cloud SQL Enterprise supports up to 96 vCPU and 624 GB RAM.

Why this answer

Option B is correct because the application requires 48 vCPU and 312 GB RAM, and Cloud SQL Enterprise with db-custom-48-307200 provides exactly 48 vCPU and 307200 MB (300 GB) of RAM, which is the closest available tier that meets or exceeds the memory requirement. Cloud SQL Enterprise supports custom machine types with up to 48 vCPU and 307200 MB RAM, while Enterprise Plus offers only predefined 'perf-optimized' tiers that do not match the exact vCPU/RAM combination needed.

Exam trap

The trap here is that candidates often assume Enterprise Plus is always better, but the question tests whether you recognize that custom machine types (db-custom) in Cloud SQL Enterprise can precisely match specific vCPU and memory requirements, while Enterprise Plus only offers predefined perf-optimized tiers that may not align with exact needs.

How to eliminate wrong answers

Option A is wrong because Cloud SQL Enterprise Plus with db-perf-optimized-48-300 provides only 300 GB RAM (307200 MB is 300 GB, but the tier name implies 300 GB, not 312 GB), and more importantly, Enterprise Plus does not offer a 48 vCPU tier with exactly 312 GB RAM; the perf-optimized tiers are predefined and may not match the exact requirements. Option C is wrong because db-custom-32-204800 provides only 32 vCPU and 200 GB RAM, both of which are insufficient for the required 48 vCPU and 312 GB RAM. Option D is wrong because db-perf-optimized-64-400 provides 64 vCPU and 400 GB RAM, which exceeds the requirements and incurs unnecessary cost, and also uses Enterprise Plus edition, which is not required for this workload.

680
MCQeasy

You need to monitor the CPU usage of a Compute Engine instance and trigger an alert when it exceeds 80% for 5 minutes. Which Google Cloud service should you use?

A.Cloud Debugger
B.Cloud Monitoring
C.Cloud Logging
D.Error Reporting
AnswerB

Cloud Monitoring provides metrics and alerting.

Why this answer

Cloud Monitoring (formerly Stackdriver Monitoring) is the correct service because it provides metrics, dashboards, and alerting policies for Compute Engine instances. You can create a metric-based alert condition that triggers when the CPU utilization metric exceeds 80% for a duration of 5 minutes, using the MQL or policy builder.

Exam trap

The trap here is that candidates confuse Cloud Logging with Cloud Monitoring because both are part of the Google Cloud operations suite, but Logging handles logs while Monitoring handles metrics and alerts.

How to eliminate wrong answers

Option A is wrong because Cloud Debugger is used to inspect the state of a running application in production without stopping it, not for monitoring CPU usage or triggering alerts. Option C is wrong because Cloud Logging collects and stores log data (e.g., application logs, system logs), but it does not natively support metric-based alerting on CPU utilization thresholds over time. Option D is wrong because Error Reporting aggregates and analyzes application errors (e.g., stack traces), not system-level metrics like CPU usage.

681
MCQeasy

You want to identify performance bottlenecks in your application's code, such as functions consuming excessive CPU. Which Google Cloud tool should you use?

A.Cloud Profiler
B.Cloud Monitoring
C.Cloud Trace
D.Cloud Logging
AnswerA

Cloud Profiler is designed to identify CPU and heap usage at the function level, pinpointing bottlenecks.

Why this answer

Cloud Profiler is the correct tool because it continuously gathers CPU and memory usage data from your application's functions and methods, presenting a flame graph or call graph that pinpoints which code paths consume the most resources. This allows you to identify performance bottlenecks like functions consuming excessive CPU without adding significant overhead to your production environment.

Exam trap

The trap here is that candidates confuse Cloud Monitoring's infrastructure-level CPU metrics with Cloud Profiler's application-level function profiling, leading them to choose Cloud Monitoring because it sounds like it monitors CPU usage.

How to eliminate wrong answers

Option B (Cloud Monitoring) is wrong because it provides metrics, dashboards, and alerts for infrastructure-level resources (e.g., CPU utilization of a VM or request latency), but it does not profile individual functions or code lines to identify CPU-intensive methods. Option C (Cloud Trace) is wrong because it focuses on latency analysis of request paths across distributed systems, showing how long each service or RPC call takes, not CPU consumption per function. Option D (Cloud Logging) is wrong because it collects and stores log entries from applications and services, enabling search and analysis of textual events, but it does not perform statistical sampling of CPU usage at the function level.

682
MCQmedium

A developer is deploying a Cloud Run service that needs to access a Cloud SQL instance. The service is deployed with the --no-allow-unauthenticated flag. What is the recommended way to grant the service access to the database?

A.Grant the Cloud SQL Client role to the Cloud Run service's runtime service account.
B.Create a service account key and store it in Secret Manager, then mount it as a volume.
C.Use the default Compute Engine service account and grant it the Cloud SQL Client role.
D.Enable the Cloud SQL Admin API and use Application Default Credentials from the Cloud Run service.
AnswerA

This directly grants the necessary permission via IAM.

Why this answer

The recommended way to grant a Cloud Run service access to a Cloud SQL instance is to grant the Cloud SQL Client role (roles/cloudsql.client) to the Cloud Run service's runtime service account. This role provides the necessary permissions (cloudsql.instances.connect and cloudsql.instances.get) to establish a secure connection via the Cloud SQL Auth Proxy or the Cloud SQL connector library. Using the runtime service account follows the principle of least privilege and avoids managing long-lived credentials.

Exam trap

The PCD exam often tests the misconception that you need to use a service account key or the default Compute Engine service account, when in fact Cloud Run's runtime service account is the correct identity to grant the Cloud SQL Client role to, avoiding the need for managing keys or using a shared default account.

How to eliminate wrong answers

Option B is wrong because creating a service account key and storing it in Secret Manager introduces a long-lived credential that must be rotated and managed, which is less secure and more complex than using the runtime service account's built-in identity. Option C is wrong because the default Compute Engine service account is not automatically associated with Cloud Run services; Cloud Run uses its own runtime service account, and using the Compute Engine default would violate least privilege and may not have the correct permissions. Option D is wrong because enabling the Cloud SQL Admin API alone does not grant the necessary connect permissions; the Cloud SQL Client role must be explicitly assigned to the service account, and Application Default Credentials (ADC) will only work if the underlying service account has the correct IAM role.

683
MCQmedium

Your organization runs a multi-region application on Cloud Run that serves an API. The API is consumed by clients worldwide. You want to reduce latency by routing users to the nearest regional Cloud Run service. Currently, all traffic goes to a single Cloud Run service in us-central1. You have set up additional Cloud Run services in europe-west1 and asia-east1. Each service is fronted by an external HTTPS load balancer with a regional backend. You want to use a single global anycast IP address that automatically directs users to the closest healthy backend. You also need to support HTTPS with a custom domain and a Google-managed certificate. What should you do?

A.Create a global external HTTPS load balancer with serverless NEGs pointing to each regional Cloud Run service, and attach a Google-managed certificate.
B.Enable anycast on the Cloud Run service by selecting the 'global' setting in the Cloud Run region selection.
C.Use Cloud DNS with geo-routing policy to point users to the appropriate regional load balancer IP based on their location.
D.Configure Cloud CDN in front of the Cloud Run services to cache responses at edge locations.
AnswerA

The global load balancer uses anycast IP and routes to the closest healthy backend, and serverless NEGs integrate with Cloud Run.

Why this answer

Option D is correct because an External HTTPS Load Balancer with a global backend service can route traffic to the closest backend via the Google Front Ends (GFE). The regional Cloud Run services can be added as backends with the appropriate network endpoint groups (NEGs). Option A is wrong because Cloud CDN caches content but does not route based on locality.

Option B is wrong because Cloud DNS with geo-routing can direct to different IPs, but that is not a single anycast IP. Option C is wrong because Cloud Run does not support anycast itself.

684
MCQmedium

An application running on Compute Engine instances behind a Cloud Load Balancer experiences intermittent 502 errors. The health checks pass but sometimes requests time out. What is the most likely cause?

A.The load balancer is misconfigured with wrong backend type.
B.The backend instances are running out of memory.
C.The SSL certificate has expired.
D.The connection draining timeout is too short.
AnswerD

Short connection draining timeout causes in-flight requests to be terminated, leading to 502 errors.

Why this answer

Option D is correct because a connection draining timeout that is too short can cause the load balancer to close connections prematurely while backend instances are still processing requests. This results in intermittent 502 errors and timeouts, even though health checks pass, as the instances are healthy but connections are being terminated before responses are sent.

Exam trap

Cisco often tests the distinction between health check failures (which cause 503 errors) and connection draining issues (which cause 502 errors), leading candidates to incorrectly attribute timeouts to backend resource exhaustion or SSL problems.

How to eliminate wrong answers

Option A is wrong because a misconfigured backend type (e.g., instance group vs. network endpoint group) would typically cause persistent health check failures or complete routing failure, not intermittent 502 errors with passing health checks. Option B is wrong because running out of memory would likely cause the instance to become unresponsive or crash, leading to health check failures, not intermittent timeouts with passing health checks. Option C is wrong because an expired SSL certificate would cause TLS handshake failures and client-side errors (e.g., SSL_ERROR_BAD_CERT_DOMAIN), not backend timeout-related 502 errors from the load balancer.

685
MCQeasy

A developer needs to ensure that environment variables containing secrets are securely passed to a Cloud Function during deployment. Which approach should they use?

A.Store in source code
B.Use Cloud KMS
C.Use Secret Manager
D.Use runtime environment variables
AnswerC

Secret Manager provides secure storage, versioning, and fine-grained access control, and is the best practice for secrets.

Why this answer

Option C is correct because Secret Manager is the recommended Google Cloud service for securely storing and accessing secrets such as API keys, passwords, and certificates. It provides encryption at rest and in transit, fine-grained IAM access control, and versioning, allowing the Cloud Function to reference secrets by name at deployment time without exposing them in source code or configuration files.

Exam trap

The trap here is that candidates confuse Cloud KMS (a key encryption service) with Secret Manager (a secret storage service), or assume runtime environment variables are secure because they are not in source code, ignoring that they are stored in plain text in the deployment metadata.

How to eliminate wrong answers

Option A is wrong because storing secrets in source code exposes them in version control systems, violates security best practices, and increases the risk of accidental exposure. Option B is wrong because Cloud KMS is a key management service for encryption keys, not a secret storage service; it does not provide native secret versioning or direct integration with Cloud Functions for secret injection. Option D is wrong because runtime environment variables are set in plain text in the function configuration and can be viewed by anyone with access to the Cloud Console or deployment logs, offering no encryption or access control for secrets.

686
MCQmedium

A developer is troubleshooting a deployment on Cloud Run. The service fails with 'Container failed to start' error. The container image is built from a Dockerfile that uses CMD ['npm', 'start']. What is the most likely cause?

A.The Dockerfile uses CMD instead of ENTRYPOINT.
B.The container image is too large and exceeds the memory limit.
C.The application does not listen on the port specified by the PORT environment variable.
D.The Cloud Run service does not have permission to pull the image from Container Registry.
AnswerC

Cloud Run expects the container to listen on the port defined by the PORT env var (default 8080). If the app listens on another port, it fails.

Why this answer

Cloud Run requires the containerized application to listen on the port specified by the PORT environment variable (default 8080). If the application is hardcoded to listen on a different port (e.g., 3000) or does not read the PORT variable, Cloud Run's health checks and routing will fail, resulting in a 'Container failed to start' error. The CMD instruction is correct for starting npm, but the application must bind to the correct port.

Exam trap

The PCD exam often tests the misconception that CMD vs ENTRYPOINT is the root cause of container startup failures, when in reality the PORT environment variable mismatch is a far more frequent issue on Cloud Run.

How to eliminate wrong answers

Option A is wrong because both CMD and ENTRYPOINT can be used to start a container; Cloud Run does not require ENTRYPOINT over CMD, and this is not a common cause of startup failures. Option B is wrong because Cloud Run has a memory limit (e.g., 2 GiB default) but a large image size does not directly cause a 'Container failed to start' error; the error occurs during runtime, not during image pull or memory allocation. Option D is wrong because if Cloud Run lacked permission to pull the image, the error would be 'Permission denied' or 'Image pull failed', not 'Container failed to start', which indicates the container started but then failed.

687
MCQhard

A financial services company requires a globally distributed database with strong consistency and sub-10 millisecond write latency across three continents. They anticipate 50 TB of transactional data. Which Google Cloud database should they deploy?

A.Cloud Spanner multi-region configuration
B.Firestore in multi-region mode
C.Cloud Bigtable with multi-cluster replication
D.Cloud SQL with cross-region replicas
AnswerA

Spanner provides linearizable consistency, global replication, and low-latency transactions.

Why this answer

Cloud Spanner is the only Google Cloud database that provides global strong consistency, horizontal scaling, and low-latency reads and writes across regions. Multi-region configurations span continents and meet the requirements.

688
Multi-Selecthard

A company is using Datastream to replicate data from an on-premises PostgreSQL database to BigQuery. They encounter high latency in replication. Which THREE steps should they take to improve performance? (Select 3)

Select 3 answers
A.Switch to a larger Datastream machine type
B.Enable parallel processing in Datastream source configuration
C.Increase the number of Dataflow workers for the streaming job
D.Add a Pub/Sub topic between Datastream and Dataflow to buffer changes
E.Reduce the retention period of the PostgreSQL WAL logs
AnswersB, C, D

Parallel streams can increase CDC throughput.

Why this answer

Option B is correct because enabling parallel processing in the Datastream source configuration allows multiple threads to read from the PostgreSQL database simultaneously, reducing the time to capture and stream changes. This directly addresses high latency by increasing throughput from the source, leveraging PostgreSQL's logical replication slots more efficiently.

Exam trap

Cisco often tests the misconception that Datastream has configurable machine types like Compute Engine instances, leading candidates to select option A, when in fact Datastream is fully managed and serverless with no such setting.

689
Multi-Selectmedium

A social media company is building a real-time analytics platform to process user activity streams. They need to ingest millions of events per second, store them for 30 days, and query with sub-10ms latency. Which TWO Google Cloud services should they use together? (Choose 2)

Select 2 answers
A.Firestore
B.Cloud Pub/Sub
C.Cloud Spanner
D.Cloud Bigtable
E.BigQuery
AnswersB, D

Pub/Sub is the correct ingestion service for millions of events per second.

Why this answer

Cloud Pub/Sub is ideal for ingesting high-throughput event streams, and Cloud Bigtable provides low-latency storage and querying. Together they meet the requirements.

690
MCQmedium

A company uses Cloud SQL for PostgreSQL with HA configuration. During a regional outage, the standby fails over to the primary. What is the expected recovery point objective (RPO) and recovery time objective (RTO)?

A.RPO = 5 minutes, RTO = 10 minutes
B.RPO = 0, RTO = 5 minutes
C.RPO = 0, RTO < 60 seconds
D.RPO = 1 minute, RTO = 5 minutes
AnswerC

Synchronous replication ensures no data loss, and failover is automatic within a minute.

Why this answer

Cloud SQL HA provides synchronous replication to a standby in a different zone within the same region, achieving 0 RPO. Automatic failover typically completes within 60 seconds, so RTO is less than 60 seconds.

691
MCQmedium

A global e-commerce platform requires a database that can handle millions of concurrent users, provide strong transactional consistency across regions, and achieve 99.999% availability SLA. Which database is the best fit?

A.Cloud SQL with cross-region replication
B.Cloud Spanner
C.Firestore in Native mode
D.Bigtable
AnswerB

Spanner provides global distribution, strong consistency, and 99.999% SLA, matching the requirements.

Why this answer

Cloud Spanner is the only Google Cloud database that offers global distribution, horizontal scaling, ACID transactions across regions, and a 99.999% SLA.

692
MCQhard

Refer to the exhibit. A developer deployed a Cloud Run service as shown. Authenticated requests from another service in the same project using a service account receive 403 Forbidden. What is the most likely cause?

A.The Cloud Run service requires the 'allAuthenticatedUsers' member to be added
B.The --no-allow-unauthenticated flag blocks all requests including authenticated ones
C.The service account used to authenticate is not granted the roles/run.invoker role on the Cloud Run service
D.The container image was built without proper authentication headers
AnswerC

The IAM policy must grant invoker role to the service account.

Why this answer

Option C is correct because the Cloud Run service requires the IAM role `roles/run.invoker` on the service itself for any principal (including a service account) to invoke it. Since the service was deployed with `--no-allow-unauthenticated`, only explicitly granted principals can invoke it. The service account used for authentication lacks this role, causing the 403 Forbidden response.

Exam trap

The PCD exam often tests the misconception that `--no-allow-unauthenticated` blocks all requests, including authenticated ones, when in reality it only blocks unauthenticated requests and requires explicit IAM role assignment for authenticated principals.

How to eliminate wrong answers

Option A is wrong because adding `allAuthenticatedUsers` would allow any authenticated Google identity (including service accounts) to invoke the service, but the question states the service account is already authenticated yet receives 403, so the issue is not about allowing all authenticated users—it's about granting the specific invoker role to that service account. Option B is wrong because `--no-allow-unauthenticated` does not block authenticated requests; it only blocks unauthenticated requests. Authenticated requests are still processed but must be from a principal with the `roles/run.invoker` role.

Option D is wrong because authentication headers are not part of the container image; they are provided by the client at request time. The container image itself does not control IAM authorization.

693
MCQeasy

An organisation needs to run SQL queries across data stored in Cloud SQL MySQL and Cloud Storage (CSV files) without moving the data. They want to use BigQuery as the query engine. Which feature should they use?

A.Cloud SQL cross-database query
B.BigQuery Omni
C.BigQuery federated queries using external tables
D.BigQuery Data Transfer Service
AnswerC

Federated queries allow querying Cloud SQL (via JDBC) and Cloud Storage (via external tables) directly from BigQuery.

Why this answer

BigQuery federated queries using external tables allow you to query data stored in Cloud SQL and Cloud Storage (CSV files) directly from BigQuery without moving the data. This is achieved by creating an external table definition in BigQuery that references the source, enabling SQL queries across both sources in a single query using BigQuery's query engine.

Exam trap

Cisco often tests the distinction between moving data (Data Transfer Service) and querying in place (federated queries), and candidates may confuse BigQuery Omni with cross-cloud capabilities when the scenario is purely within GCP.

How to eliminate wrong answers

Option A is wrong because Cloud SQL cross-database query is a feature within Cloud SQL itself for querying across multiple Cloud SQL databases, not for querying Cloud Storage data or using BigQuery as the engine. Option B is wrong because BigQuery Omni is designed for querying data across multi-cloud environments (e.g., AWS, Azure), not for querying Cloud SQL or Cloud Storage within GCP. Option D is wrong because BigQuery Data Transfer Service is used for scheduled batch imports of data into BigQuery, not for querying data in place without moving it.

694
MCQhard

A developer runs the above command to build and push a container image to Container Registry, but receives the error shown. The developer has the 'Cloud Build Editor' role on the project. What is the most likely cause of the error?

A.The Cloud Storage bucket for storing build artifacts does not exist.
B.The developer's user account has been revoked access to the project.
C.The Cloud Build service account has not been enabled or does not have permission to act on behalf of the user.
D.The developer does not have the 'cloudbuild.builds.create' permission because the Cloud Build Editor role does not include it.
AnswerC

The Cloud Build service account needs to be enabled and have appropriate roles.

Why this answer

The error occurs because the Cloud Build service account (typically the Compute Engine default service account or a user-specified service account) lacks the necessary permissions to push the container image to Container Registry. Even though the developer has the 'Cloud Build Editor' role, Cloud Build itself needs a service account with appropriate IAM roles (e.g., Storage Object Admin) to write to the registry. The error is not about the developer's direct permissions but about the service account that Cloud Build uses to execute the build and push.

Exam trap

The PCD exam often tests the distinction between user-level permissions and service account permissions; the trap here is that candidates assume the user's role (Cloud Build Editor) is sufficient for the entire build process, ignoring that Cloud Build acts on behalf of a service account that requires separate IAM roles.

How to eliminate wrong answers

Option A is wrong because Cloud Build automatically creates the default Cloud Storage bucket (e.g., [PROJECT_ID]_cloudbuild) if it does not exist, and the error message would be different (e.g., 'bucket not found') if that were the issue. Option B is wrong because if the developer's user account had been revoked, they would not be able to run the command at all, and the error would likely be an authentication or authorization failure (e.g., 403 or 401), not a service account permission error. Option D is wrong because the 'Cloud Build Editor' role does include the 'cloudbuild.builds.create' permission; that is a core permission of the role, so the developer can submit builds.

695
MCQeasy

A company is designing a microservices architecture on Google Kubernetes Engine (GKE). They want to ensure zero-downtime deployments. Which strategy should they use?

A.Recreate
B.Blue/green deployment
C.Rolling update
D.Canary deployment
AnswerB

Blue/green deployment runs two versions simultaneously and switches traffic instantly, providing zero downtime.

Why this answer

Blue/green deployment is the correct strategy for achieving zero-downtime deployments on GKE because it runs two identical environments (blue and green) and switches traffic instantly via a Kubernetes Service or Ingress. This eliminates any period where the application is unavailable, as the old version remains live until the new version is fully ready and traffic is cut over. GKE's LoadBalancer or Ingress controller can route all traffic to the new environment with a single configuration update, ensuring no requests are dropped.

Exam trap

The trap here is that candidates confuse 'zero-downtime' with 'minimal downtime' and choose Rolling update, not realizing that Rolling update can still cause brief unavailability if the old pods are terminated before the new ones are fully ready, whereas Blue/green ensures no overlap of traffic to an unready version.

How to eliminate wrong answers

Option A is wrong because Recreate terminates all existing pods before creating new ones, causing a period of downtime while the new pods start up. Option C is wrong because Rolling update, while minimizing downtime, can still cause brief periods of unavailability if health checks fail or if the update is not configured with proper surge and maxUnavailable settings, and it does not guarantee zero-downtime in all scenarios. Option D is wrong because Canary deployment is designed for gradual traffic shifting and risk mitigation, not for zero-downtime deployments; it intentionally routes a small percentage of traffic to the new version, which can still cause partial downtime or errors if the canary fails, and it requires manual or automated traffic management to complete the rollout.

696
MCQhard

A company is migrating an Oracle database to Cloud SQL for PostgreSQL using Ora2Pg. They need to convert stored procedures and functions. After conversion, they find that some PL/SQL code is not working. What is the most likely reason?

A.pgTap is needed to validate the converted code.
B.The Database Migration Service is required to convert stored procedures.
C.The PostgreSQL target instance is running an incompatible version.
D.Ora2Pg does not convert Oracle-specific PL/SQL packages like DBMS_*.
AnswerD

Many Oracle-specific packages (e.g., DBMS_OUTPUT) have no direct equivalent in PostgreSQL and require manual rewriting.

Why this answer

Ora2Pg is an open-source tool that automates migration from Oracle to PostgreSQL, but it does not convert Oracle-specific PL/SQL packages such as DBMS_*, UTL_*, or other built-in Oracle libraries. These packages have no direct equivalent in PostgreSQL, so any stored procedures or functions that rely on them will fail after conversion. Manual rewriting or using PostgreSQL-compatible extensions (e.g., pg_dbms_* community modules) is required.

Exam trap

Cisco often tests the misconception that a migration tool like Ora2Pg can fully automate the conversion of all Oracle PL/SQL code, when in reality Oracle-specific packages are not supported and require manual intervention.

How to eliminate wrong answers

Option A is wrong because pgTap is a unit testing framework for PostgreSQL, not a validation tool for converted PL/SQL code; it does not fix conversion issues. Option B is wrong because Database Migration Service (DMS) is a fully managed service for migrating databases, but it is not required to convert stored procedures—Ora2Pg handles that, and DMS does not convert Oracle-specific PL/SQL packages either. Option C is wrong because while PostgreSQL version compatibility can cause issues, the most likely reason for PL/SQL code failure after Ora2Pg conversion is the presence of unsupported Oracle-specific packages, not the PostgreSQL version itself.

697
MCQeasy

A developer wants to deploy a Compute Engine instance using Terraform. They want to run a startup script to install software. How should they provide the script?

A.Use the metadata block with key 'startup-script' and the script content as value.
B.Use a cloud-init configuration file passed via user-data metadata.
C.Use the user-data metadata key with the script content.
D.Use the gcloud compute instances create command with --metadata-from-file flag.
AnswerA

This is the standard way to provide startup scripts in Terraform for GCP.

Why this answer

Option A is correct because Terraform's `google_compute_instance` resource supports a `metadata` block where you can set the key `startup-script` with the script content as the value. When the Compute Engine instance boots, the `google-guest-agent` reads this metadata key and executes the script as the root user, which is the standard method for running startup scripts on Linux instances without additional configuration.

Exam trap

The trap here is that candidates confuse `user-data` (used by cloud-init) with `startup-script` (used by the Google Guest Agent), assuming any metadata key named 'user-data' will run a script, when in fact it requires cloud-init to be present and configured.

How to eliminate wrong answers

Option B is wrong because `cloud-init` is a separate tool that requires a specific `#cloud-config` format in the `user-data` metadata key; while it can install software, it is not the standard Terraform approach for a simple startup script and adds unnecessary complexity. Option C is wrong because the `user-data` metadata key is used by `cloud-init` (or `cloudbase-init` on Windows) to pass configuration files, not by the default `google-guest-agent`; using `user-data` with raw script content will not execute it unless `cloud-init` is installed and configured. Option D is wrong because the question explicitly asks how to provide the script using Terraform, not the `gcloud` CLI; `gcloud compute instances create --metadata-from-file` is a command-line tool, not a Terraform configuration.

698
MCQeasy

An engineer needs to create a Cloud SQL for PostgreSQL instance with high availability. Which configuration ensures automatic failover in less than 60 seconds if the primary zone fails?

A.Select a regional instance with synchronous standby in a different zone.
B.Select a zonal instance with a read replica in a different zone.
C.Select a zonal instance with automatic storage increase enabled.
D.Select a cross-region replica for disaster recovery.
AnswerA

Regional HA configuration uses a synchronous standby in another zone, enabling automatic failover within 60 seconds.

Why this answer

Cloud SQL HA uses a regional instance with a synchronous standby in a different zone within the same region. Automatic failover occurs within 60 seconds. Zonal instances do not provide HA.

Cross-region replication is not supported for HA; it's used for disaster recovery.

699
MCQmedium

Refer to the exhibit. Which schema or index change would most improve this query?

A.Create a primary key on CustomerID
B.Rewrite the query as a subquery
C.Create a secondary index on Orders.CustomerID and Customers.CustomerID
D.Increase the number of Spanner nodes
AnswerC

Secondary indexes speed up joins by enabling index seeks instead of full scans.

Why this answer

Option C is correct because creating secondary indexes on both `Orders.CustomerID` and `Customers.CustomerID` allows Spanner to perform an index-based join without scanning the full base tables. Spanner uses distributed, strongly consistent secondary indexes to avoid full table scans, which dramatically reduces latency and resource consumption for join queries. Without these indexes, Spanner must perform a broadcast join or a full table scan on both tables, which is inefficient at scale.

Exam trap

The PCD exam often tests the misconception that adding nodes or rewriting queries can fix performance issues, when the real bottleneck is the lack of appropriate secondary indexes for join and filter operations in a distributed database like Spanner.

How to eliminate wrong answers

Option A is wrong because a primary key on `CustomerID` already exists implicitly or explicitly in most table designs, and adding another primary key would not improve query performance for a join on `CustomerID`; Spanner does not use primary keys for join acceleration in the same way as secondary indexes. Option B is wrong because rewriting the query as a subquery does not change the underlying access pattern; Spanner still needs to scan tables or use indexes, and a subquery can even introduce additional overhead without any index optimization. Option D is wrong because increasing the number of Spanner nodes adds compute and storage capacity but does not directly improve query performance for a specific join; it may even increase latency due to more distributed coordination unless the query is already I/O-bound and the additional nodes are used to parallelize scans, which still requires indexes to avoid full table scans.

700
MCQmedium

A company wants to run analytics queries on Cloud SQL data without impacting the transactional workload. They need to query the Cloud SQL database directly from BigQuery. Which BigQuery feature should they use?

A.BigQuery federated queries using Cloud SQL external table
B.Cloud SQL read replicas
C.Datastream to replicate Cloud SQL to BigQuery
D.BigQuery Omni
AnswerA

Federated queries allow querying Cloud SQL directly.

Why this answer

BigQuery federated queries using Cloud SQL external tables allow you to query Cloud SQL databases directly from BigQuery without moving or replicating the data. This feature uses a federated query engine that pushes down SQL operations to Cloud SQL, minimizing the impact on the transactional workload by only reading the required data on demand.

Exam trap

Cisco often tests the distinction between direct querying (federated queries) and data replication (Datastream), so the trap here is that candidates may choose Datastream because it is a common pattern for moving data to BigQuery, but the question explicitly requires querying the Cloud SQL database directly without impacting the transactional workload.

How to eliminate wrong answers

Option B is wrong because Cloud SQL read replicas are used to offload read traffic from the primary instance, but they do not enable direct querying from BigQuery; BigQuery cannot query a Cloud SQL read replica directly. Option C is wrong because Datastream is a change data capture (CDC) service that replicates data from Cloud SQL to BigQuery in near real-time, which involves moving data and is not a direct query mechanism; it also adds latency and storage costs. Option D is wrong because BigQuery Omni is a multi-cloud analytics solution that allows querying data in AWS and Azure, not for querying Cloud SQL databases directly.

701
MCQeasy

A developer is building a microservices application on Cloud Run. One service needs to make authenticated HTTP requests to another Cloud Run service in the same project. What is the best practice for authentication?

A.Use API keys
B.Use Cloud Run's built-in service-to-service authentication with the default compute service account
C.Use OAuth2 client credentials
D.Use IAM roles on the target service and call it with the appropriate identity token from the metadata server
AnswerD

This is the recommended approach: use a service account with the roles/run.invoker role on the target service and obtain an identity token from the metadata server.

Why this answer

Option D is correct because Cloud Run service-to-service authentication is best done using an identity token from the metadata server and setting IAM on the target service. Option A is not recommended as API keys are for external clients. Option B uses OAuth2 client credentials which are for external applications.

Option C uses the default compute service account which may have broader permissions than needed.

702
MCQmedium

A company plans to migrate an on-premises Oracle database to Cloud SQL for PostgreSQL. They need to minimize downtime and ensure continuous sync during migration. Which migration approach should they use?

A.Export the Oracle database as a dump file and import it into Cloud SQL manually.
B.Use DMS with a continuous migration job, allowing CDC replication until cutover.
C.Use DMS with a one-time migration job, then manually sync changes before cutover.
D.Use Cloud SQL Auth Proxy to connect Oracle to Cloud SQL and replicate data using a custom script.
AnswerB

Continuous migration with CDC enables near-zero downtime by keeping the target in sync.

Why this answer

Database Migration Service (DMS) with a continuous migration job enables ongoing Change Data Capture (CDC) replication from the source Oracle database to Cloud SQL for PostgreSQL. This approach keeps the target database synchronized with minimal downtime, allowing a controlled cutover when the migration is complete. It is the only option that satisfies the requirements of continuous sync and minimal downtime.

Exam trap

Cisco often tests the distinction between one-time and continuous migration jobs, where candidates mistakenly believe a one-time job plus manual sync is sufficient for minimal downtime, overlooking the need for automated CDC to avoid data loss and extended cutover windows.

How to eliminate wrong answers

Option A is wrong because exporting and importing a dump file is a manual, offline process that requires the source database to be stopped or locked, causing significant downtime and no continuous sync. Option C is wrong because a one-time migration job only captures a snapshot of the data at a point in time; any changes made after that snapshot must be manually applied, which introduces downtime and risk of data loss. Option D is wrong because Cloud SQL Auth Proxy is designed for secure connections to Cloud SQL, not for replication; using a custom script to replicate from Oracle would be unreliable, lack CDC capabilities, and not provide the managed, continuous sync that DMS offers.

703
MCQhard

You are migrating an on-premises PostgreSQL database (OLTP, 200 GB) to Google Cloud. The database requires high availability with automatic failover and zero RPO. Which configuration should you use?

A.AlloyDB with HA configuration
B.Cloud SQL HA instance
C.Cloud SQL single zone instance with an external replica
D.Cloud SQL instance with cross-region read replica
AnswerB

Correct: synchronous replication to standby in different zone, automatic failover, zero RPO.

Why this answer

Cloud SQL HA instance provides synchronous replication to a standby in a different zone within the same region, ensuring automatic failover with zero RPO because no committed transaction is lost. This meets the requirement for high availability and zero data loss for an OLTP PostgreSQL database of this size.

Exam trap

The trap here is that candidates confuse high availability (HA) with disaster recovery (DR) or assume that any replica (like a cross-region read replica) can provide automatic failover with zero RPO, but only synchronous replication within the same region achieves that guarantee.

How to eliminate wrong answers

Option A is wrong because AlloyDB with HA configuration, while offering high availability, is a different managed service optimized for PostgreSQL-compatible workloads with higher performance but does not guarantee zero RPO in all failover scenarios (it uses synchronous replication but with a different architecture). Option C is wrong because a single zone instance with an external replica cannot provide automatic failover with zero RPO; external replicas are asynchronous, meaning data loss can occur during failover. Option D is wrong because a cross-region read replica is asynchronous and intended for read scaling or disaster recovery, not for automatic failover with zero RPO; failover would require manual promotion and risk data loss.

704
MCQeasy

A developer wants to ensure that error logs from their Java application are automatically captured and grouped in Cloud Error Reporting. What is the recommended approach?

A.Configure a log sink to Error Reporting
B.Export logs to BigQuery and then import to Error Reporting
C.Instrument the application with the Error Reporting client library
D.Use a custom log-based metric to count errors
AnswerC

The client library automatically captures and groups errors.

Why this answer

Option C is correct because the Error Reporting client library directly integrates with the application to automatically capture and group error logs, sending them to Cloud Error Reporting without requiring additional infrastructure. This is the recommended approach as it provides structured error reporting with automatic grouping, stack trace analysis, and real-time notifications.

Exam trap

The PCD exam often tests the misconception that log sinks can route directly to Error Reporting, but in reality, log sinks only support specific destinations like BigQuery, Pub/Sub, Cloud Storage, and Logging buckets, not Error Reporting.

How to eliminate wrong answers

Option A is wrong because configuring a log sink to Error Reporting is not a supported operation; log sinks route logs to destinations like BigQuery, Pub/Sub, or Cloud Storage, not directly to Error Reporting. Option B is wrong because exporting logs to BigQuery and then importing to Error Reporting introduces unnecessary complexity and latency, and Error Reporting does not have an import mechanism from BigQuery. Option D is wrong because a custom log-based metric to count errors only tracks the count of errors, not the actual error details, stack traces, or grouping required for Error Reporting.

705
MCQhard

A Cloud Bigtable cluster is under heavy write load, and you notice write latency spikes. The row key pattern is domain_reversed_timestamp (e.g., com.example.2024-01-15T10:00:00). Which row key modification would BEST reduce write hotspots?

A.Promote the timestamp to the beginning of the key
B.Add a random salting prefix to the row key
C.Remove the domain reversal and use just timestamp
D.Use a single table with multiple column families
AnswerB

Salting distributes writes across nodes, reducing hotspots.

Why this answer

The row key pattern `domain_reversed_timestamp` causes all writes for a given domain to hit the same tablet server, creating a hotspot under heavy load. Adding a random salting prefix (e.g., a hash of the domain or a random integer) distributes writes evenly across all nodes in the Bigtable cluster, eliminating the sequential write bottleneck. This is the standard anti-hotspot pattern for Bigtable row key design.

Exam trap

Cisco often tests the misconception that reversing the domain or using timestamps is sufficient for write distribution, when in fact any sequential or low-cardinality prefix creates hotspots under heavy write load.

How to eliminate wrong answers

Option A is wrong because promoting the timestamp to the beginning of the key would make writes sequential in time, causing all recent writes to land on a single tablet server and worsening the hotspot. Option C is wrong because removing the domain reversal and using just the timestamp would create a monotonically increasing key, which is the worst-case pattern for Bigtable writes as all new data goes to one tablet. Option D is wrong because using multiple column families does not affect row key distribution; column families are for schema organization and access patterns, not for write load balancing across tablet servers.

706
Multi-Selectmedium

A company is integrating a legacy application with Google Cloud using Cloud VPN. The application must be accessed from multiple remote offices over the internet. Which TWO technologies should the company use to ensure secure and reliable connectivity? (Choose TWO.)

Select 2 answers
A.Cloud Interconnect
B.Private Google Access
C.Cloud NAT
D.Direct Peering
E.Cloud VPN
AnswersA, E

Provides dedicated, low-latency connections, ideal for reliable access.

Why this answer

Option A (Cloud VPN) is correct for site-to-site VPN connectivity. Option C (Cloud Interconnect) is correct for dedicated, reliable connectivity. Option B (Direct Peering) is not recommended for multi-office since it's for on-prem to Google, not hub-spoke.

Option D (Cloud NAT) is for outbound internet. Option E (Private Google Access) is for on-prem to Google APIs.

707
Multi-Selecthard

A company's application on GKE is experiencing performance degradation. They want to use Google Cloud operations tools to identify the root cause. Which THREE tools should they use in combination?

Select 3 answers
A.Cloud Trace
B.Cloud Monitoring
C.Cloud Profiler
D.Cloud Debugger
E.Cloud Logging
AnswersA, B, E

Cloud Trace enables distributed tracing to identify latency bottlenecks.

Why this answer

Cloud Trace is correct because it provides distributed tracing capabilities that allow you to analyze latency across microservices in a GKE application. By collecting trace data from each request as it propagates through services, Cloud Trace helps identify performance bottlenecks, such as slow downstream calls or inefficient database queries, which are common causes of performance degradation.

Exam trap

The PCD exam often tests the distinction between tools that diagnose performance (Trace, Monitoring, Logging) versus tools that debug code (Debugger) or profile resource usage (Profiler), leading candidates to include Profiler or Debugger when only performance monitoring tools are needed.

708
MCQhard

You are configuring Cloud Bigtable for a financial market data application. Write throughput is critical, and row keys are based on stock symbols. You notice significant write latency on a few nodes. What is the most effective way to improve write distribution?

A.Prepend a hashed prefix to the row key (salted keys)
B.Separate frequently accessed columns into a different column family
C.Increase the garbage collection (GC) grace period
D.Use reversed domain keys (e.g., com.example.stock)
AnswerA

Salting distributes writes across nodes by randomizing the row key start.

Why this answer

Salted keys (prepending a hash prefix) distribute writes across nodes. Reversed domain keys help with read patterns but not write distribution. Column families and GC policies do not affect write distribution.

709
MCQeasy

A team is developing a mobile backend API on Google Cloud. They are using Cloud Endpoints to manage API authentication and quotas. They want to monitor API performance including request count, latency, and error rates. They have enabled Cloud Endpoints logging but are not seeing detailed performance metrics in Cloud Monitoring. What should they do?

A.Deploy a custom metrics exporter in the mobile app.
B.Enable Cloud Monitoring integration in Cloud Endpoints configuration.
C.Install the Ops Agent on the API backend instances.
D.Use Cloud Logging to parse logs and create metric counters.
AnswerB

This sends detailed API metrics to Cloud Monitoring without custom coding.

Why this answer

Cloud Endpoints uses an Extensible Service Proxy (ESP) or Envoy proxy to intercept API calls and report metrics to Cloud Monitoring. By default, Endpoints logs requests but does not send detailed performance metrics (e.g., latency, request count, error rates) to Cloud Monitoring unless you explicitly enable the Cloud Monitoring integration in the Endpoints service configuration. Option B is correct because enabling this integration configures the proxy to emit those metrics directly to Cloud Monitoring.

Exam trap

The trap here is that candidates confuse Cloud Endpoints logging (which records individual request logs) with Cloud Monitoring metrics (which aggregate performance data), and they incorrectly assume that enabling logs automatically populates Cloud Monitoring dashboards.

How to eliminate wrong answers

Option A is wrong because custom metrics exported from the mobile app would measure client-side performance, not the backend API performance that Cloud Endpoints monitors. Option C is wrong because the Ops Agent collects OS-level and application metrics from VM instances, but it does not integrate with Cloud Endpoints' proxy to capture API-specific metrics like request count, latency, or error rates. Option D is wrong because while you could parse logs to create metric counters, this approach is indirect, adds latency, and misses the built-in, low-latency metric pipeline that Cloud Endpoints provides when integrated with Cloud Monitoring.

710
MCQeasy

An engineer needs to create a Cloud SQL instance for a development environment with minimal cost. The instance will have low traffic, and storage growth is expected to be gradual. Which storage configuration should they choose?

A.Use HDD storage with storage auto-increase disabled.
B.Use SSD storage with storage auto-increase disabled.
C.Use SSD storage with storage auto-increase enabled.
D.Use HDD storage with storage auto-increase enabled.
AnswerC

SSD provides good performance at low cost for dev, and auto-increase prevents storage full issues.

Why this answer

SSD storage is recommended for most workloads due to performance, and enabling auto-increase ensures you don't run out of disk. HDD is cheaper but has much lower IOPS, which may cause performance issues even for dev. Disabling auto-increase risks downtime.

The smallest disk size with SSD and auto-increase is cost-effective.

711
MCQeasy

A developer wants to allow a Compute Engine instance to send messages to a Pub/Sub topic. What is the recommended way to grant permissions?

A.Generate an API key for the instance and include it in HTTP requests.
B.Create a service account and assign the Pub/Sub Publisher role; attach the service account to the instance.
C.Use the instance's default Compute Engine service account and assign the Pub/Sub Publisher role to it.
D.Store the service account key file directly on the instance.
AnswerC

The default service account is convenient and secure.

Why this answer

Option C is correct because the default Compute Engine service account is automatically created for each project and attached to instances by default. By assigning the Pub/Sub Publisher role to this service account, the instance can authenticate and publish messages to a Pub/Sub topic without managing keys or credentials, following Google Cloud's recommended IAM best practices.

Exam trap

Cisco often tests the distinction between using the default service account versus creating a new one; the trap here is that candidates may think a dedicated service account is always required, but the recommended approach is to use the default service account when it already has the necessary permissions, avoiding unnecessary complexity and security risks.

How to eliminate wrong answers

Option A is wrong because API keys are used for identifying projects calling APIs that do not require a user or service account, but they are not suitable for authenticating a Compute Engine instance to a Pub/Sub topic; they lack the granularity and security of IAM roles. Option B is wrong because while creating a dedicated service account and assigning the Pub/Sub Publisher role is a valid approach, it is not the recommended way when a default service account already exists and can be used; the question asks for the recommended way, which leverages the existing default service account to avoid unnecessary overhead. Option D is wrong because storing a service account key file directly on the instance introduces security risks (key exposure, rotation complexity) and violates the principle of using instance metadata and IAM roles for authentication; the recommended approach is to use the instance's attached service account without downloading keys.

712
MCQmedium

A company is running a critical application on Google Kubernetes Engine (GKE) that stores state in a Cloud SQL PostgreSQL instance. The application's latency-sensitive frontend needs to read data from Cloud SQL with minimal latency. The team wants to reduce read latency and offload read traffic from the primary database. What should they do?

A.Migrate the database to Cloud Spanner for better read scalability.
B.Use Memorystore for Redis as a cache layer between the application and Cloud SQL.
C.Create a read replica of the Cloud SQL instance and direct read traffic to the replica.
D.Use Cloud CDN to cache database responses.
AnswerC

Read replicas handle read-only queries, reducing load on the primary and improving read latency.

Why this answer

Option C is correct because creating a read replica of the Cloud SQL PostgreSQL instance allows read-heavy, latency-sensitive traffic to be offloaded from the primary database. The replica handles SELECT queries independently, reducing load on the primary and lowering read latency for the frontend, as replicas are typically in the same region and can serve data with minimal additional delay.

Exam trap

The PCD exam often tests the misconception that caching (Memorystore or CDN) is the only way to reduce read latency, but the question specifically asks to offload read traffic from the primary database, which a read replica achieves directly without introducing cache coherence complexity.

How to eliminate wrong answers

Option A is wrong because migrating to Cloud Spanner would introduce unnecessary complexity and cost for a workload that only needs read offloading; Spanner is designed for global, strongly consistent transactions, not simply reducing read latency from a single-region PostgreSQL instance. Option B is wrong because Memorystore for Redis adds a caching layer that requires application code changes to manage cache invalidation and consistency, and it does not directly offload read traffic from Cloud SQL—it caches data, but stale reads can occur if not carefully managed. Option D is wrong because Cloud CDN caches static content at edge locations and is not designed to cache dynamic database query responses; it would not reduce read latency for application-level database reads and would introduce staleness issues.

713
MCQhard

An organization wants to create custom metrics based on application logs to track business KPIs. They need to ensure these metrics are available for alerting within minutes. Which approach should they use?

A.Export logs to BigQuery and use scheduled queries
B.Use OpenTelemetry collector to send metrics directly
C.Use Cloud Functions to parse logs and push custom metrics via API
D.Write logs to Cloud Logging and use log-based metrics
AnswerD

Log-based metrics are designed for this use case with low latency.

Why this answer

Log-based metrics in Cloud Logging allow you to define custom metrics from log entries using filters or regular expressions. These metrics are ingested and available for alerting within minutes because they are processed in near real-time by the Cloud Monitoring backend, without requiring external data pipelines or custom code.

Exam trap

The PCD exam often tests the distinction between extracting metrics from logs (log-based metrics) versus sending metrics directly (OpenTelemetry or custom API), and candidates mistakenly choose direct metric collection when the requirement explicitly states the source is application logs.

How to eliminate wrong answers

Option A is wrong because exporting logs to BigQuery and using scheduled queries introduces latency of at least several minutes (due to export delays and query scheduling), making it unsuitable for near-real-time alerting. Option B is wrong because the OpenTelemetry collector sends metrics directly, but the question requires metrics derived from application logs, not direct metric instrumentation; using OpenTelemetry would bypass the log source entirely. Option C is wrong because using Cloud Functions to parse logs and push custom metrics via API adds unnecessary complexity and latency (function cold starts, API call overhead), and is less reliable than the native log-based metrics pipeline which is designed for low-latency metric extraction.

714
MCQmedium

A company uses Cloud Bigtable for time-series data. They notice uneven load distribution across nodes causing hot spots. Which tool should they use to identify the hot spots?

A.Cloud Monitoring dashboards
B.Cloud Bigtable Key Visualiser
C.cbt command-line tool
D.Cloud Logging
AnswerB

Key Visualiser provides a heatmap of row access patterns to identify hot spots.

Why this answer

Cloud Bigtable Key Visualiser graphically shows read/write heatmaps to identify hot spots. Monitoring dashboards show metrics but not specific hot spots. cbt tool is CLI, not visual. Cloud Logging records operations but doesn't visualize load distribution.

715
Multi-Selectmedium

A company uses AlloyDB for PostgreSQL and needs to scale read traffic automatically. They also want to ensure the database remains available if the primary zone fails. Which two features should they use? (Choose two.)

Select 2 answers
A.Deploy AlloyDB Omni on-premises
B.Use a single-zone cluster and rely on read replicas for HA
C.Configure the cluster as a regional cluster with high availability
D.Enable cross-region replication
E.Create a read pool instance with autoscaling enabled
AnswersC, E

Regional HA provides standby in another zone for failover.

Why this answer

Read pool instances provide auto-scaling read replicas, and regional cluster with HA provides automatic failover across zones.

716
MCQeasy

A company is migrating an on-premises PostgreSQL OLTP application to Google Cloud. They need a managed database with high availability, automatic failover, and zero RPO. Which database service should they choose?

A.Cloud SQL for PostgreSQL with HA configuration
B.Firestore
C.Bigtable
D.Cloud Spanner
AnswerA

Cloud SQL HA provides synchronous replication, automatic failover, and 0 RPO, ideal for this migration.

Why this answer

Cloud SQL for PostgreSQL supports HA instances with synchronous replication to a standby in the same region, automatic failover, and zero RPO. It is the best choice for a lift-and-shift of a PostgreSQL OLTP workload.

717
MCQmedium

A team notices that their application's latency has increased after a recent deployment. They suspect a specific code path is slower. Which Google Cloud tool should they use to identify the most time-consuming functions in their code?

A.Cloud Debugger
B.Cloud Trace
C.Cloud Profiler
D.Cloud Logging
AnswerC

Profiler shows the most time-consuming functions in production.

Why this answer

Cloud Profiler is the correct tool because it performs continuous, low-overhead profiling of CPU and memory usage, pinpointing the specific functions or methods that consume the most resources. Unlike tracing, which focuses on request latency across services, profiling identifies the most time-consuming code paths within a single application process, making it ideal for diagnosing a slow code path after a deployment.

Exam trap

The trap here is that candidates often confuse Cloud Trace (which shows request-level latency) with Cloud Profiler (which shows function-level CPU/memory consumption), leading them to choose Trace when the question specifically asks for identifying the most time-consuming functions within a code path.

How to eliminate wrong answers

Option A is wrong because Cloud Debugger is designed for inspecting application state at a specific point in time (e.g., viewing variables and stack traces) without stopping the app, but it does not measure or aggregate function execution times to identify the slowest code paths. Option B is wrong because Cloud Trace provides distributed tracing to measure end-to-end request latency across services, but it does not drill down into individual function-level execution time within a single service; it focuses on spans and requests, not code profiling. Option D is wrong because Cloud Logging collects and stores log data for analysis and alerting, but it does not automatically instrument or measure function execution times; it requires manual log statements and cannot identify the most time-consuming functions without custom instrumentation.

718
MCQeasy

A company wants to trigger a Cloud Run job every time a new file is uploaded to a Cloud Storage bucket. Which integration should be used?

A.Use Cloud Pub/Sub notifications from the bucket and create a push subscription to the Cloud Run job.
B.Use Cloud Scheduler to poll the bucket and invoke the Cloud Run job every minute.
C.Use Eventarc to create a trigger that routes Cloud Storage events to the Cloud Run job.
D.Use Cloud Functions to listen for storage events and then call the Cloud Run job via HTTP.
AnswerC

Eventarc listens to events and delivers them to Cloud Run jobs.

Why this answer

Option C is correct because Eventarc can route Cloud Storage events (like object finalize) to Cloud Run jobs via CloudEvents. Option A is wrong because Cloud Scheduler is time-based, not event-based. Option B is wrong because Cloud Functions can be triggered by storage events, but the question asks for Cloud Run job.

Option D is wrong because Pub/Sub alone cannot directly trigger a Cloud Run job without a subscription or push endpoint.

719
Multi-Selecthard

Which THREE are valid methods for authenticating a user or service when deploying a Cloud Function via the Google Cloud SDK? (Choose 3)

Select 3 answers
A.Using an API key
B.Using a user account with 'gcloud auth login'
C.Using an OAuth 2.0 client ID
D.Using an access token obtained from the Google Cloud Console
E.Using a service account key file with 'gcloud auth activate-service-account'
AnswersB, D, E

Valid: User accounts can authenticate via OAuth 2.0.

Why this answer

Option B is correct because 'gcloud auth login' authenticates a user account via OAuth 2.0, which is a valid method for deploying Cloud Functions. The Google Cloud SDK uses the user's credentials to authorize API calls, including deployments, making this a standard authentication approach for interactive or user-driven workflows.

Exam trap

The PCD exam often tests the distinction between authentication methods that are valid for SDK commands versus those meant for other contexts, such as API keys for simple API access or OAuth client IDs for application flows, leading candidates to mistakenly select them as valid for gcloud deployments.

720
MCQhard

Refer to the exhibit. You are analyzing application logs and notice that some logs contain a 'trace' field. What does this field enable?

A.It is used by Cloud Monitoring to correlate logs with metrics
B.It is used to export the log to Cloud Trace
C.It links the log entry to a specific Cloud Trace trace for end-to-end latency analysis
D.It indicates that the log was generated by the Cloud Trace agent
AnswerC

The trace field allows you to view the request's entire trace in Cloud Trace.

Why this answer

The 'trace' field in a log entry contains the trace ID and span ID that link the log to a specific Cloud Trace trace. This enables end-to-end latency analysis by correlating log entries with the distributed trace that generated them, allowing you to see the full request path across services.

Exam trap

The PCD exam often tests the distinction between 'correlating logs with metrics' (which is done via resource labels or custom metrics) and 'linking logs to a specific trace' (which is the exact purpose of the trace field), so candidates mistakenly choose A because they confuse correlation with linking.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring uses metrics and logs separately; the 'trace' field does not correlate logs with metrics—that correlation is done via resource labels or metric descriptors, not the trace field. Option B is wrong because the 'trace' field does not trigger log export to Cloud Trace; logs are exported via sinks or agents, and Cloud Trace ingests trace data directly from instrumented applications. Option D is wrong because the 'trace' field indicates a link to an existing trace, not that the log was generated by the Cloud Trace agent; logs can be written by any source and still include a trace ID if the application propagates it.

721
MCQhard

A team is migrating a monolithic app to microservices. They need to handle distributed transactions across services. Which pattern should they use?

A.Eventual consistency with compensation
B.Saga pattern
C.Distributed lock manager
D.Two-phase commit
AnswerB

Saga pattern uses local transactions and compensations, providing consistency without locking resources across services.

Why this answer

The Saga pattern is the correct choice for managing distributed transactions across microservices because it breaks a long-lived transaction into a sequence of local transactions, each with a compensating action to roll back if a subsequent step fails. This avoids the tight coupling and performance bottlenecks of distributed locking or two-phase commit, which are unsuitable for cloud-native, highly scalable environments. Sagas can be orchestrated (via a coordinator) or choreographed (via events), and they align with eventual consistency principles required for high availability.

Exam trap

The PCD exam often tests the misconception that two-phase commit (2PC) is suitable for microservices, but the trap is that 2PC is a synchronous, blocking protocol that undermines scalability and availability, whereas the Saga pattern is the correct asynchronous, compensating approach for distributed transactions in cloud-native apps.

How to eliminate wrong answers

Option A is wrong because eventual consistency with compensation is a general principle, not a specific pattern; the Saga pattern is the concrete implementation that provides compensation actions. Option C is wrong because a distributed lock manager introduces a single point of contention and blocking, which reduces scalability and availability, contradicting the goal of a cloud-native architecture. Option D is wrong because two-phase commit (2PC) is a synchronous, blocking protocol that requires all participants to be available and locks resources, making it unsuitable for microservices that demand high availability and partition tolerance; it also violates the CAP theorem in distributed systems.

722
Multi-Selectmedium

Which TWO strategies can be used to reduce cold start latency in Cloud Run? (Choose 2)

Select 2 answers
A.Increase the maximum number of concurrent requests per instance.
B.Deploy the Cloud Run service in a region closer to the users.
C.Set a minimum number of instances (min-instances) to keep instances warm.
D.Allocate more memory to the container (up to 4GiB).
E.Use a VPC connector to access resources in a VPC network.
AnswersC, D

Correct: min-instances ensures at least that many instances are always ready, eliminating cold starts.

Why this answer

Option C is correct because setting a minimum number of instances (min-instances) ensures that a specified number of container instances are always running and ready to serve requests, eliminating the cold start latency that occurs when an instance must be started from scratch. This pre-warming strategy directly reduces the time users wait for the first request to be processed.

Exam trap

The PCD exam often tests the distinction between reducing network latency (region proximity) and reducing cold start latency (instance pre-warming), causing candidates to mistakenly select a region closer to users as a solution for cold start.

723
Multi-Selecteasy

A company wants to design a highly available web application that serves users globally. They plan to use Cloud Load Balancing. Which two design choices should they make to ensure high availability and low latency? (Choose two.)

Select 2 answers
A.Enable Cloud CDN to cache static content closer to users.
B.Use a global HTTPS Load Balancer with backend services in multiple regions.
C.Use a single-zone backend instance group for simplicity.
D.Use Cloud Armor to filter malicious traffic.
E.Deploy separate regional load balancers in each region and use DNS-based routing.
AnswersA, B

CDN reduces latency and offloads origin servers.

Why this answer

Enabling Cloud CDN caches static content at Google's global edge locations, reducing latency by serving content from a point of presence (PoP) close to the user. This offloads requests from backend instances, improving overall availability and performance for global users.

Exam trap

The PCD exam often tests the misconception that separate regional load balancers with DNS-based routing are equivalent to a global load balancer, but the trap here is that DNS-based routing introduces latency and failover delays, whereas a global load balancer with anycast IP provides seamless, low-latency failover across regions.

724
MCQmedium

A company is building a real-time analytics application on Google Cloud that ingests data from thousands of IoT devices. The data must be processed with sub-second latency and stored in a time-series database for querying. Which combination of services provides the best scalability and availability?

A.Cloud Pub/Sub, Cloud Dataflow, Cloud Datastore
B.Cloud Pub/Sub, Cloud Functions, Cloud SQL
C.Cloud Pub/Sub, Cloud Dataflow, Cloud Storage
D.Cloud Pub/Sub, Cloud Dataflow, Cloud Bigtable
AnswerD

Bigtable is ideal for high-throughput time-series data with low-latency access.

Why this answer

Cloud Bigtable is a fully managed, scalable NoSQL database designed for large analytical and operational workloads, offering sub-10ms latency for time-series data. Combined with Cloud Pub/Sub for ingesting high-throughput IoT data and Cloud Dataflow for stream processing, this combination provides the best scalability and availability for real-time analytics with sub-second latency requirements.

Exam trap

The trap here is that candidates often confuse Cloud Bigtable with Cloud Datastore or Cloud SQL, not realizing that Bigtable is the only Google Cloud database purpose-built for high-throughput, low-latency time-series and analytical workloads at scale.

How to eliminate wrong answers

Option A is wrong because Cloud Datastore (now Firestore in Datastore mode) is a document/NoSQL database optimized for transactional, not analytical, workloads and does not provide the high write throughput or time-series optimization needed for IoT data. Option B is wrong because Cloud Functions has a maximum timeout of 9 minutes and is not designed for continuous, high-throughput stream processing, and Cloud SQL is a relational database that cannot scale horizontally for massive time-series data ingestion. Option C is wrong because Cloud Storage is an object store for blobs/files, not a time-series database, and cannot support sub-second query latency on streaming data.

725
Multi-Selecteasy

Which TWO are best practices for reducing the cost of Cloud Logging for a high-traffic application?

Select 2 answers
A.Use exclusion filters to drop debug logs.
B.Route all logs to BigQuery for long-term storage.
C.Use log sinks to export logs to Cloud Storage and delete from Logging.
D.Set retention periods to the minimum required.
E.Disable default logs for all services.
AnswersA, D

Exclusion filters prevent logs from being ingested and stored, directly reducing costs for low-value logs like debug messages.

Why this answer

Option A is correct because exclusion filters in Cloud Logging allow you to drop specific log entries (e.g., debug-level logs) before they are ingested, which directly reduces the volume of logs billed. Since Cloud Logging charges based on the amount of data ingested, excluding high-volume, low-value logs like debug messages is a primary cost-saving measure.

Exam trap

The PCD exam often tests the misconception that exporting or deleting logs after ingestion reduces costs, but the trap here is that Cloud Logging bills on ingestion, not storage, so only exclusion filters (which prevent ingestion) actually lower the bill.

726
MCQmedium

A developer is designing a Cloud Spanner schema for a blog application with tables: Posts (PostId, AuthorId, Title, Content) and Comments (CommentId, PostId, Author, Text). They want to store comments near their parent post for efficient retrieval. Which schema design should they use?

A.Create a separate Comments table without interleaving and use application-level caching
B.Store comments as a JSON array within the Posts table
C.Use a foreign key from Comments to Posts and create a global secondary index on PostId
D.Use interleaving: define Comments as an interleaved table with Posts, with Comments primary key (PostId, CommentId)
AnswerD

Interleaving stores comments near their post row, minimizing latency for queries that fetch comments for a post.

Why this answer

Interleaved tables in Cloud Spanner allow storing child rows (Comments) physically near parent rows (Posts) if the child table's primary key includes the parent's primary key. This improves locality and reduces cross-split reads.

727
MCQmedium

A company is migrating a Cassandra-based time-series application to Google Cloud. They need to maintain single-digit millisecond write latency at petabyte scale. Which Google Cloud database is the BEST replacement?

A.Cloud Spanner
B.Firestore
C.BigQuery
D.Cloud Bigtable
AnswerD

Bigtable is a wide-column NoSQL database designed for high-throughput time-series workloads with single-digit ms latency.

Why this answer

Bigtable is the closest equivalent to Cassandra for time-series data, offering similar performance and scalability. Cloud Spanner is relational, and Firestore is for document data.

728
MCQhard

You have a Cloud Spanner database with a table that has a secondary index. You notice that queries using the index are performing a back join to the base table. Which index feature can you use to avoid this back join?

A.Use a composite primary key to include those columns
B.Use the STORING clause to include the queried columns in the index
C.Use a local secondary index instead of a global one
D.Use interleaving with the base table
AnswerB

STORING stores extra columns in the index, avoiding back join.

Why this answer

In Cloud Spanner, a secondary index does not store all columns of the base table by default. When a query uses the index but needs columns not present in the index, Spanner performs a back join (also called a table lookup) to retrieve those missing columns from the base table. The STORING clause allows you to include additional non-key columns in the index itself, making the index covering and eliminating the need for the back join.

Exam trap

Cisco often tests the misconception that a composite primary key or interleaving can substitute for covering indexes, but only the STORING clause directly addresses the back join by making the index self-contained.

How to eliminate wrong answers

Option A is wrong because a composite primary key reorganizes the base table's primary key structure but does not add columns to a secondary index; it cannot prevent a back join for queries that need columns not in the index. Option C is wrong because Cloud Spanner does not support local secondary indexes; all secondary indexes in Spanner are global by design, and the concept of local vs. global does not apply. Option D is wrong because interleaving organizes tables hierarchically for parent-child relationships and improves locality, but it does not add columns to an index; it cannot prevent a back join for a secondary index query.

729
MCQhard

You are managing a microservices application deployed on Google Kubernetes Engine (GKE) that uses Cloud Monitoring and Cloud Logging. Recently, users have reported intermittent slow response times, especially during peak hours. You have enabled the Ops Agent on GKE nodes and configured custom metrics for your services. The application consists of a frontend service, a backend API service, and a database service. The frontend calls the backend, which in turn queries the database. You notice that when the response time spikes, the frontend service's CPU utilization remains low, but the backend service's CPU utilization increases. The database service shows normal latency and no errors. You have examined the logs and found no application errors. The GKE cluster has three node pools: one for each service, with autoscaling enabled. The backend service is configured with a HorizontalPodAutoscaler (HPA) based on CPU utilization, but the HPA does not seem to scale up quickly enough during traffic spikes. You want to identify the root cause of the performance degradation. Which course of action should you take first?

A.Check the network latency between the frontend and backend services using Cloud Monitoring's network metrics.
B.Analyze the backend service's request latency distribution using Cloud Monitoring metrics to identify whether the issue is due to increased request volume or slow request processing.
C.Configure the backend service's HPA to use custom metrics based on request latency instead of CPU utilization.
D.Increase the minimum number of replicas for the backend service to handle peak traffic.
AnswerB

This directly addresses the symptom (backend CPU high) and helps determine if scaling or code optimization is needed.

Why this answer

Option B is correct because the intermittent slow response times during peak hours, combined with low frontend CPU but high backend CPU and normal database latency, strongly suggest the backend service is struggling to process requests quickly under load. Analyzing the backend's request latency distribution using Cloud Monitoring metrics (e.g., 99th percentile latency) will reveal whether the issue stems from increased request volume (which would show a shift in latency distribution) or from individual requests taking longer to process (e.g., due to inefficient code or resource contention). This diagnostic step directly addresses the symptom without making assumptions about scaling or network issues.

Exam trap

The PCD exam often tests the distinction between symptom analysis and solution implementation, where candidates jump to scaling or metric changes (options C or D) without first performing a proper diagnostic step like analyzing latency distributions.

How to eliminate wrong answers

Option A is wrong because checking network latency between frontend and backend would not explain why backend CPU increases while frontend CPU remains low; network latency typically affects both sides symmetrically and is unlikely to cause the observed CPU pattern. Option C is wrong because changing the HPA metric to request latency is a potential solution, but it should only be considered after diagnosing the root cause; jumping to reconfiguration without analysis risks masking the real issue (e.g., slow code) or causing instability. Option D is wrong because increasing the minimum replicas is a reactive scaling fix that does not address why the HPA fails to scale quickly; the HPA's slow response could be due to metric collection delays or incorrect configuration, which must be investigated first.

730
MCQmedium

A company uses Cloud Build to build and deploy a microservice. The build step that runs tests fails with a permission denied error when trying to access a private GitHub repository. The build configuration uses a default Cloud Build service account. The team has already added the GitHub repository as a trigger and provided credentials during trigger creation. However, the build step still fails. What is the most likely cause and solution?

A.Create a new service account with access to the secret containing the GitHub SSH key and use it in the build configuration.
B.Use Cloud Build's '--no-cache' flag to force a fresh clone.
C.Add a build step to run 'git config' to set user credentials.
D.Grant the Cloud Build service account the role 'Cloud Build Service Agent'.
AnswerA

Using a custom service account with IAM permissions to access the secret allows the build step to authenticate to GitHub.

Why this answer

Cloud Build uses the Cloud Build service account by default for executing build steps. To access private GitHub repositories, the build step must authenticate using the SSH key or access token stored in Secret Manager, and the Cloud Build service account needs permissions to read the secret. The error suggests the build step does not have the necessary authentication.

Using a custom service account with required permissions and retrieving the secret in the build step is the correct approach. The trigger credentials are only for triggering the build, not for build steps.

731
MCQmedium

A company is migrating a MySQL database to Cloud SQL. They plan to use Database Migration Service (DMS) with a continuous migration job to minimize downtime. How do they perform the cutover with zero downtime?

A.Take a snapshot of the Cloud SQL instance and restore it as a new instance.
B.Delete the migration job and manually update DNS to point to Cloud SQL.
C.Use the DMS console to promote the replica; the promotion applies pending changes and makes the Cloud SQL instance writable.
D.Stop the source database, take a final dump, and load it into Cloud SQL.
AnswerC

Promotion is the correct zero-downtime cutover step in DMS.

Why this answer

DMS continuous migration uses a promotion step. When the source and target are in sync, the engineer promotes the Cloud SQL replica to a standalone instance. The application then switches to the new Cloud SQL instance.

This is called 'promoting the replica' and can achieve near-zero downtime if coordinated correctly.

732
MCQhard

An organization is migrating a MySQL database to Cloud SQL for MySQL using Database Migration Service. The migration job is in the 'Full dump + CDC' phase. After a successful full dump, the CDC phase is replicating changes. To complete the migration with minimal downtime, what should the engineer do?

A.Wait for the CDC phase to automatically complete and promote.
B.Promote the Cloud SQL instance using the DMS console or API, which triggers a short cutover window.
C.Stop the application, then promote the Cloud SQL instance to make it the primary.
D.Delete the source database and then promote the Cloud SQL instance.
AnswerB

DMS promotion finalizes the migration by making the Cloud SQL instance the primary, with minimal downtime (seconds to minutes).

733
MCQmedium

An organization is using Cloud Spanner for a global application. They need to capture all data changes (inserts, updates, deletes) in a Spanner table and stream them to Pub/Sub for downstream processing. Which feature should they use?

A.Datastream for Spanner
B.Cloud Bigtable change data capture
C.Cloud Spanner change streams
D.Cloud SQL publication with pglogical
AnswerC

Change streams capture all DML changes and can be consumed by Pub/Sub or Dataflow.

Why this answer

Cloud Spanner change streams can capture row-level changes and publish them to Pub/Sub via Dataflow or direct integration.

734
MCQmedium

A financial services company uses a polyglot persistence architecture: Cloud SQL for MySQL for transactions, Cloud Bigtable for real-time risk calculations, and BigQuery for historical analytics. They need to move data from Bigtable to BigQuery every hour for reporting, with transformations. Which approach is MOST cost-effective and maintainable?

A.Use Datastream to stream Bigtable changes to BigQuery
B.Set up a Dataflow pipeline on a schedule that reads from Bigtable, transforms, and writes to BigQuery
C.Use BigQuery federated queries to query Bigtable directly for hourly reports
D.Write a Cloud Function that queries Bigtable and loads data into BigQuery every hour
AnswerB

Dataflow can handle large volumes, complex transformations, and schedule-based execution.

Why this answer

Option B is correct because Dataflow provides a fully managed, serverless execution environment that can read from Bigtable, apply transformations (e.g., using Apache Beam's PTransform), and write to BigQuery on a scheduled basis. This approach is cost-effective as it scales to zero when idle and uses autoscaling, and maintainable because the pipeline code is reusable and can be version-controlled. Alternatives either lack transformation capability, incur higher latency, or require custom orchestration that increases operational overhead.

Exam trap

Cisco often tests the misconception that Datastream can stream from any database, but in reality it only supports specific sources (MySQL, PostgreSQL, Oracle) and cannot read from Bigtable or other NoSQL stores.

How to eliminate wrong answers

Option A is wrong because Datastream is designed for change data capture (CDC) from sources like MySQL, Oracle, and PostgreSQL, not for reading from Bigtable; Bigtable does not support CDC streams that Datastream can consume. Option C is wrong because BigQuery federated queries (using the Bigtable external table) allow direct querying but do not support transformations and would incur high latency and cost for hourly full-table scans, plus they cannot persist transformed data into BigQuery tables. Option D is wrong because Cloud Functions have a maximum timeout of 9 minutes (540 seconds) and limited memory, making them unsuitable for reading large volumes from Bigtable and performing complex transformations within an hourly window; they also lack built-in retry and checkpointing for large data loads.

735
Multi-Selecteasy

A data engineer is migrating a Redshift data warehouse to BigQuery. Which THREE steps are typically required?

Select 4 answers
A.Load data from Cloud Storage into BigQuery.
B.Transfer data from S3 to Google Cloud Storage using Storage Transfer Service.
C.Use BigQuery Data Transfer Service for Redshift.
D.Convert Redshift SQL dialect to BigQuery SQL.
E.Unload data from Redshift to Amazon S3.
AnswersA, B, D, E

Data is loaded from GCS into BigQuery tables.

Why this answer

Common Redshift to BigQuery migration steps: unload data to Amazon S3, transfer to Google Cloud (Storage Transfer Service), then load into BigQuery. SQL dialect differences must be addressed.

736
MCQeasy

A company wants to analyse data across Google Cloud and Amazon Web Services without moving the data. They need to query live data in Amazon S3 and Google Cloud Storage from BigQuery. Which feature should they use?

A.Cloud Data Fusion
B.BigQuery federated queries
C.BigQuery Omni
D.Cloud Dataproc with Spark SQL
AnswerC

BigQuery Omni enables querying data across multi-cloud storage (AWS S3, Azure Blob) directly from BigQuery.

Why this answer

BigQuery Omni allows you to query data across Google Cloud, AWS, and Azure without moving the data. It uses BigQuery's federated query engine to run queries directly on data stored in Amazon S3 and Google Cloud Storage, leveraging BigQuery's standard SQL interface. This meets the requirement of querying live data across both clouds without data movement.

Exam trap

Cisco often tests the distinction between BigQuery federated queries (limited to Google Cloud sources) and BigQuery Omni (multi-cloud), so candidates mistakenly choose federated queries thinking it covers S3, but it does not.

How to eliminate wrong answers

Option A is wrong because Cloud Data Fusion is a data integration service for building ETL/ELT pipelines, not for directly querying live data across clouds without moving it. Option B is wrong because BigQuery federated queries only support querying external data sources within Google Cloud (e.g., Cloud Storage, Cloud SQL, Bigtable) and do not natively query Amazon S3. Option D is wrong because Cloud Dataproc with Spark SQL requires spinning up a managed Spark cluster and typically involves moving or copying data into the cluster's storage, not querying live data across clouds without data movement.

737
MCQhard

You need to set up a notification channel that sends alerts to a third-party incident management system using webhooks. What must be configured?

A.A Slack channel integration
B.A Webhook notification channel in Cloud Monitoring
C.A Pub/Sub topic and subscription
D.An email notification channel
AnswerB

In Cloud Monitoring alerting policies, you can create a notification channel of type 'Webhook' and specify the URL of the third-party system.

Why this answer

A webhook notification channel in Cloud Monitoring is the correct choice because webhooks allow Cloud Monitoring to send HTTP POST requests (typically JSON payloads) to a third-party incident management system's endpoint. This enables automated alert delivery without requiring a native integration, making it the standard method for connecting to external systems like PagerDuty, Opsgenie, or custom webhook receivers.

Exam trap

The PCD exam often tests the distinction between a generic webhook channel and platform-specific integrations (like Slack or email), leading candidates to mistakenly choose a specific integration when the requirement is for a generic third-party system.

How to eliminate wrong answers

Option A is wrong because a Slack channel integration is a specific notification channel type for Slack, not a generic webhook mechanism; it cannot be used to send alerts to arbitrary third-party incident management systems. Option C is wrong because a Pub/Sub topic and subscription is a messaging infrastructure for asynchronous event distribution, not a direct notification channel; while it can be used to forward alerts, it requires additional configuration to trigger webhooks and is not the direct solution for sending alerts via webhooks. Option D is wrong because an email notification channel sends alerts via SMTP, not HTTP webhooks, and cannot interface with a webhook-based incident management system.

738
MCQmedium

A team deploys a containerized application on Cloud Run and notices increased latency during traffic spikes due to cold starts. Which configuration change would best address this?

A.Set min_instances to a value greater than 0
B.Set concurrency to 1
C.Enable CPU always allocated
D.Increase max_instances
AnswerA

Min instances ensure warm instances are always available, reducing cold start latency.

Why this answer

Option A is correct because setting min_instances to a value greater than 0 keeps a baseline of warm instances ready to handle traffic, reducing cold starts. Option B is wrong because increasing max_instances does not prevent cold starts. Option C is wrong because enabling CPU always allocated does not create new instances.

Option D is wrong because setting concurrency to 1 limits throughput, worsening scaling behavior.

739
MCQeasy

A data engineer needs to run complex transformations on streaming data from Pub/Sub and then write the results to both BigQuery and Cloud Bigtable. Which Google Cloud service is best suited for this task?

A.Cloud Data Fusion
B.Dataflow
C.Datastream
D.Cloud Functions
AnswerB

Dataflow excels at stream processing with complex transforms and multi-sink writes.

Why this answer

Dataflow is the correct choice because it is a fully managed, unified stream and batch processing service built on Apache Beam. It can directly read from Pub/Sub, apply complex transformations (e.g., windowing, aggregations, joins), and write the results to both BigQuery and Cloud Bigtable using native Beam I/O connectors, all within a single pipeline.

Exam trap

The trap here is that candidates may choose Cloud Data Fusion (A) because it is a visual ETL tool, but they overlook that it lacks native streaming support from Pub/Sub and cannot write to Cloud Bigtable, making Dataflow the only service that can handle the full streaming pipeline with complex transformations and dual sinks.

How to eliminate wrong answers

Option A is wrong because Cloud Data Fusion is a graphical ETL tool for batch-oriented data integration and does not natively support real-time streaming from Pub/Sub or direct writes to Cloud Bigtable. Option C is wrong because Datastream is designed for change data capture (CDC) from operational databases to BigQuery and other targets, not for running complex transformations on streaming data from Pub/Sub. Option D is wrong because Cloud Functions is a serverless compute service for lightweight, event-driven code, not suitable for long-running, stateful, complex stream processing with multiple sinks like BigQuery and Bigtable.

740
MCQhard

A company uses Datastream to replicate data from an on-premises MySQL database to BigQuery. They notice that the destination BigQuery table has a large number of rows that are duplicates with different timestamps. What is the most likely cause?

A.There is a primary key missing on the source table
B.BigQuery merge operation is not deduplicating
C.MySQL binary log is in STATEMENT format
D.Datastream is configured in 'at least once' delivery mode
AnswerD

Datastream uses at-least-once delivery, which can cause duplicates if the stream is restarted.

Why this answer

Datastream uses CDC and can deliver duplicate records if the source MySQL binary log is not configured with ROW-based replication and the log position tracking resets due to a restart or network issue. Duplicates can occur if the stream restarts from a checkpoint.

741
MCQeasy

A company wants to deploy a containerized application on Google Kubernetes Engine (GKE) with zero downtime during updates. The application is stateless and runs on a Deployment with 5 replicas. Which deployment strategy should be used?

A.Blue/green deployment
B.Recreate update
C.Canary deployment
D.Rolling update
AnswerD

Rolling update replaces pods incrementally, maintaining availability.

Why this answer

A rolling update is the default deployment strategy in Kubernetes and is ideal for stateless applications requiring zero downtime. It gradually replaces old Pods with new ones, ensuring that a minimum number of replicas remain available throughout the update. This strategy is configured via the `strategy.type: RollingUpdate` field in the Deployment spec, with parameters like `maxSurge` and `maxUnavailable` controlling the pace.

Exam trap

The PCD exam often tests the distinction between built-in Kubernetes strategies (rolling update, recreate) and external deployment patterns (blue/green, canary) that require additional configuration or tools, leading candidates to overcomplicate the answer for a simple stateless workload.

How to eliminate wrong answers

Option A is wrong because blue/green deployment requires maintaining two separate environments (blue and green) and switching traffic via a Service or Ingress, which is more complex and resource-intensive than needed for a simple stateless application with 5 replicas; it is not a native Kubernetes Deployment strategy. Option B is wrong because the Recreate update strategy terminates all existing Pods before creating new ones, causing downtime during the update, which violates the zero-downtime requirement. Option C is wrong because canary deployment is a release pattern that routes a small percentage of traffic to the new version for testing, but it is not a built-in Deployment strategy in Kubernetes; it requires additional tooling like Istio or Flagger and is typically used for risk mitigation, not for achieving zero downtime in a simple stateless app.

742
MCQeasy

A company runs a containerized application on Google Kubernetes Engine (GKE) with a regional cluster. The application experiences intermittent slowdowns during peak hours. The team notices that the number of nodes is not scaling up quickly enough. The application consists of a frontend deployment with a HorizontalPodAutoscaler (HPA) targeting 80% CPU utilization, and the cluster has a Cluster Autoscaler enabled with a maximum of 10 nodes. During a recent spike, the HPA increased replicas, but the Cluster Autoscaler was slow to add nodes, causing the new pods to remain pending. What is the most likely cause of this delay?

A.The cluster is configured with a single zone, limiting node pool expansion.
B.The Cluster Autoscaler has a built-in delay before adding nodes to avoid flapping.
C.The HPA is using a custom metric that is not supported by the Cluster Autoscaler.
D.The node pool's autoscaling is limited by the quota for Compute Engine resources in that zone.
AnswerB

The default delay is 10 minutes, causing pending pods during spikes.

Why this answer

The Cluster Autoscaler includes a built-in cooldown period (default 10–15 minutes) to prevent flapping—rapidly adding and removing nodes in response to transient spikes. During this delay, pending pods cannot be scheduled on new nodes, which explains why the HPA increased replicas but the new pods remained pending. This is the most likely cause given that the cluster is regional and the autoscaler is enabled.

Exam trap

The PCD exam often tests the misconception that node scaling delays are caused by resource quotas or zone misconfigurations, when in fact the Cluster Autoscaler's built-in cooldown mechanism is the default cause of slow node addition.

How to eliminate wrong answers

Option A is wrong because a regional cluster by definition spans multiple zones, so single-zone limitation does not apply. Option C is wrong because the HPA targeting 80% CPU utilization uses a standard resource metric (CPU), which is fully supported by the Cluster Autoscaler; custom metrics do not affect node scaling. Option D is wrong because while Compute Engine resource quotas can limit scaling, the question states the cluster has a maximum of 10 nodes and does not mention quota exhaustion; the delay is specifically due to the autoscaler's built-in cooldown, not a quota issue.

743
MCQeasy

Which Google Cloud database is a serverless data warehouse designed for analytical queries on petabyte-scale data, with SQL interface and built-in machine learning capabilities?

A.BigQuery
B.AlloyDB
C.Cloud Bigtable
D.Cloud Spanner
AnswerA

BigQuery is a serverless data warehouse with SQL and ML capabilities, ideal for analytics at scale.

Why this answer

BigQuery is the serverless, highly scalable data warehouse for analytics. It supports SQL and BigQuery ML for in-database ML.

744
MCQmedium

A company is migrating from Oracle to Cloud SQL for PostgreSQL. They have a table with a column of type RAW(16). Which PostgreSQL data type should they use?

A.BYTEA
B.BYTES
C.UUID
D.TEXT
AnswerA

BYTEA is the equivalent of RAW for binary data.

Why this answer

Oracle RAW is a variable-length binary data type. PostgreSQL equivalent is BYTEA. UUID is for universally unique identifiers, but RAW can store any binary data, not just UUIDs.

TEXT is for strings, and BYTEA is the correct binary type.

745
MCQhard

An engineer is deploying a Cloud Spanner instance for a global application that requires strong consistency across continents. The workload is moderate, and they want to minimize costs while meeting latency requirements. Which instance configuration should they choose?

A.Dual-region configuration with 500 processing units
B.Multi-region configuration with 1000 nodes
C.Regional configuration with 100 processing units
D.Multi-region configuration with 500 processing units
AnswerA

Dual-region offers synchronous replication across two regions (e.g., US and Europe) with strong consistency, and is more cost-effective than multi-region for moderate workloads.

Why this answer

Multi-region configurations provide strong global consistency and high availability across continents, but are expensive. Dual-region offers synchronous replication across two regions, a cost-effective option for moderate workloads needing strong consistency across two geographic areas. Regional is single-region, not global.

Multi-region with 1000 nodes is overkill.

746
Multi-Selecthard

A data engineer is designing a Bigtable schema for a global ad-tech platform. The workload includes time-series clickstream data with row keys like 'advertiser_id#campaign_id#timestamp'. They are experiencing uneven load distribution. Which TWO row key design changes would best distribute writes across nodes? (Choose two)

Select 2 answers
A.Swap the order to 'timestamp#advertiser_id#campaign_id'
B.Use a single table per advertiser
C.Increase the number of Bigtable nodes to 100
D.Use a composite key with campaign_id first
E.Add a salt (hash of advertiser_id) as the first component
AnswersA, E

Putting timestamp first distributes writes as timestamps are monotonically increasing.

Why this answer

Option A is correct because placing the timestamp first in the row key ensures that writes are spread across the Bigtable tablet server range. In Bigtable, rows are sorted lexicographically by row key; leading with a monotonically increasing value (like timestamp) causes all new writes to hit a single tablet, creating a hotspot. By swapping to 'timestamp#advertiser_id#campaign_id', writes are still sequential but the timestamp prefix alone does not guarantee perfect distribution—however, combined with salting (Option E), it avoids the original hotspot caused by the advertiser_id prefix.

Exam trap

Cisco often tests the misconception that simply reordering row key components (like putting timestamp first) is sufficient to fix hotspots, when in reality a monotonically increasing prefix still causes sequential writes to a single tablet unless combined with salting or a non-sequential prefix.

747
MCQhard

An engineering team is designing an AlloyDB cluster for an e-commerce platform. They anticipate variable read traffic and want to automatically add or remove read-only compute capacity based on CPU utilization. Which feature should they enable?

A.Enable query distribution across read pool instances.
B.Read pool autoscaling
C.Configure a managed instance group for the read pool.
D.Set up Cloud SQL read replicas with cross-region replication.
AnswerB

AlloyDB read pools support autoscaling based on CPU utilization, adding or removing instances as needed.

Why this answer

AlloyDB’s read pool autoscaling automatically adjusts the number of read pool instances based on metrics like CPU utilization. Query distribution is built-in, but autoscaling is the specific feature for capacity changes. Instance groups are a Compute Engine concept.

Read replicas in Cloud SQL are not automatically scaled.

748
MCQmedium

A company uses Cloud Spanner for its global ordering system and needs to stream order changes to a Pub/Sub topic for real-time inventory updates. They also need to archive old orders to BigQuery for historical analysis. What is the simplest architecture to achieve both goals?

A.Use a single Dataflow pipeline that reads from Spanner change streams and writes to both Pub/Sub and BigQuery
B.Enable Spanner change streams to publish to Pub/Sub, and then use a Dataflow pipeline to subscribe to the Pub/Sub topic and write to BigQuery
C.Use two separate Dataflow pipelines: one reading from change streams to Pub/Sub, another reading from Pub/Sub to BigQuery
D.Export Spanner tables to Avro in GCS nightly and load into BigQuery; use Cloud Functions to capture changes to Pub/Sub
AnswerB

This uses change streams for real-time events and Dataflow for archiving to BigQuery, with minimal complexity.

Why this answer

Option B is correct because it leverages Spanner change streams' native ability to publish directly to Pub/Sub, which is the simplest integration path. A single Dataflow pipeline then subscribes to that Pub/Sub topic to write to BigQuery, fulfilling both the real-time streaming and archival requirements with minimal moving parts. This avoids the complexity of reading change streams directly in Dataflow or managing multiple pipelines.

Exam trap

Cisco often tests the misconception that Dataflow must directly read from Spanner change streams (Option A) or that multiple pipelines are needed (Option C), when the simplest and most scalable approach is to use Spanner's native Pub/Sub integration.

How to eliminate wrong answers

Option A is wrong because reading Spanner change streams directly in a Dataflow pipeline requires manual handling of checkpointing and stream partitioning, adding unnecessary complexity compared to using Spanner's built-in Pub/Sub integration. Option C is wrong because using two separate Dataflow pipelines introduces redundant processing and higher operational overhead; a single pipeline subscribing to Pub/Sub is simpler and sufficient. Option D is wrong because nightly Avro exports to GCS are batch-oriented and cannot provide real-time streaming to Pub/Sub, and Cloud Functions are not designed for reliable, ordered change capture from Spanner to Pub/Sub.

749
MCQmedium

A developer runs the above command and receives the error. What is the most likely cause?

A.The image tag format is incorrect.
B.The cloudbuild.yaml file is not present in the current directory.
C.The Dockerfile is missing from the repository.
D.The cloudbuild.yaml file has a syntax error, such as incorrect indentation.
AnswerD

The error message directly indicates a YAML parsing issue.

Why this answer

The error is most likely due to a syntax error in the cloudbuild.yaml file, such as incorrect indentation. Cloud Build uses YAML for configuration, and YAML is sensitive to indentation; a missing space or incorrect alignment can cause the build to fail with a parsing error. The command `gcloud builds submit` reads the cloudbuild.yaml file from the current directory, and if the YAML is malformed, the submission will fail before any Docker or build steps are executed.

Exam trap

The PCD exam often tests the distinction between configuration file syntax errors and missing file errors, so the trap here is that candidates assume a missing Dockerfile or cloudbuild.yaml is the problem, when the error message specifically points to a YAML parsing issue.

How to eliminate wrong answers

Option A is wrong because the image tag format is not the issue; the command `gcloud builds submit` does not require a specific image tag in the command itself unless explicitly passed via `--tag`, and the error is about the build configuration, not the tag. Option B is wrong because the error message would explicitly state that the file is missing (e.g., 'File not found'), not a syntax error; the command looks for cloudbuild.yaml in the current directory by default, and if it were absent, the error would be different. Option C is wrong because a missing Dockerfile would cause a build step failure later in the process, not a syntax error during the submission of the cloudbuild.yaml file; the error occurs before any Docker build is attempted.

750
MCQeasy

A company is deploying a microservices architecture on Google Kubernetes Engine (GKE). They need to monitor inter-service latency and error rates. Which set of Google Cloud services should they use to collect and visualize these metrics?

A.Cloud Trace, Cloud Debugger, and Cloud Profiler
B.Cloud Monitoring, Cloud Logging, and Cloud Trace
C.Cloud Logging, Cloud Run, and Cloud Build
D.Cloud Monitoring, Cloud Functions, and Cloud Pub/Sub
AnswerB

These three services together provide metrics, logs, and traces for observability.

Why this answer

Option B is correct because Cloud Monitoring collects metrics like latency and error rates, Cloud Logging aggregates logs for deeper analysis, and Cloud Trace provides distributed tracing to track requests across microservices. Together, they enable end-to-end observability of inter-service performance in GKE, with Cloud Monitoring visualizing the data via dashboards and alerts.

Exam trap

The trap here is that candidates confuse Cloud Debugger and Cloud Profiler with monitoring tools, but they are for debugging and profiling, not for collecting inter-service latency or error rate metrics.

How to eliminate wrong answers

Option A is wrong because Cloud Debugger captures application state at specific code points for debugging, not for collecting latency or error rate metrics, and Cloud Profiler analyzes CPU/memory usage, not inter-service latency. Option C is wrong because Cloud Logging handles logs but Cloud Run is a serverless compute platform, not a monitoring service, and Cloud Build is a CI/CD tool unrelated to runtime monitoring. Option D is wrong because Cloud Monitoring collects metrics but Cloud Functions is a serverless compute service, not a monitoring tool, and Cloud Pub/Sub is a messaging service that does not visualize or collect latency/error metrics.

Page 9

Page 10 of 14

Page 11
Google Professional Cloud Developer PCD Questions 676–750 | Page 10/14 | Courseiva