Google Professional Cloud Developer (PCD) — Questions 301375

500 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Drag & Dropmedium

Drag and drop the steps to troubleshoot a failed Cloud Build in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting involves reviewing logs and configuration, then fixing and re-running.

302
MCQmedium

You are deploying a Cassandra database on GKE. Which resource type should you use to ensure stable network identities and persistent storage per pod?

A.Job with persistent disk
B.Deployment with persistent volume claims
C.StatefulSet with volumeClaimTemplates
D.DaemonSet with hostPath volumes
AnswerC

Provides stable identities and persistent storage.

Why this answer

StatefulSet is the correct resource because it provides stable, unique network identities (via headless Service and ordinal pod names) and persistent storage per pod through volumeClaimTemplates, which dynamically create PersistentVolumeClaims for each replica. This is essential for Cassandra, which requires stable node identities and dedicated storage to maintain cluster state and data consistency.

Exam trap

Cisco often tests the misconception that Deployments can handle stateful workloads by attaching PersistentVolumeClaims, but the trap is that Deployments lack stable network identities and per-pod storage binding, which are required for databases like Cassandra to maintain cluster membership and data integrity.

How to eliminate wrong answers

Option A is wrong because a Job is designed for batch processing tasks that run to completion, not for long-running stateful applications like Cassandra, and it does not provide stable network identities or persistent storage per pod. Option B is wrong because a Deployment provides replicas with ephemeral identities (random pod names) and shared PersistentVolumeClaims, which cannot guarantee stable network identities or dedicated storage per pod, leading to data conflicts and cluster instability for Cassandra. Option D is wrong because a DaemonSet runs one pod per node, which does not provide stable per-pod identities or dedicated persistent storage; hostPath volumes tie data to a specific node, causing data loss if the pod is rescheduled to a different node, and they lack the dynamic provisioning needed for Cassandra.

303
Multi-Selectmedium

Which TWO statements are true about Cloud Functions? (Choose two.)

Select 2 answers
A.Cloud Functions automatically scale based on the number of incoming events
B.Cloud Functions require you to provide a container image from Container Registry
C.Cloud Functions are stateless by design
D.Cloud Functions can only be triggered by HTTP requests
E.Cloud Functions have a maximum execution timeout of 9 minutes for all runtimes
AnswersA, C

Cloud Functions scale out to handle multiple events concurrently.

Why this answer

Cloud Functions automatically scale horizontally based on the number of incoming events, such as HTTP requests or Pub/Sub messages. The platform handles this scaling transparently, spinning up new function instances as needed to handle concurrent invocations, and scaling down to zero when idle. This is a key serverless characteristic that eliminates the need for manual capacity planning.

Exam trap

Cisco often tests the misconception that Cloud Functions are limited to HTTP triggers or that the 9-minute timeout applies to all runtimes and trigger types, when in fact event-driven functions have a significantly longer timeout and multiple trigger options exist.

304
MCQmedium

A team is deploying a containerized application to Cloud Run. The application needs to process large files (up to 500 MB) uploaded by users. Which storage approach should they use to avoid Cloud Run's request size limit?

A.Upload files directly to Cloud Run
B.Mount a Cloud Filestore volume
C.Use Cloud Functions as a proxy for uploads
D.Use signed URLs to upload to Cloud Storage
AnswerD

Signed URLs enable direct client-to-Cloud Storage uploads, bypassing Cloud Run's request size limit.

Why this answer

Cloud Run has a default request size limit of 32 MB, which is far below the 500 MB files the application needs to process. Using signed URLs allows users to upload files directly to Cloud Storage, bypassing Cloud Run entirely. This approach avoids the request size limit and offloads the storage and retrieval of large files to a scalable, managed service.

Exam trap

Cisco often tests the misconception that Cloud Run can handle large request payloads by scaling, but the actual trap is that Cloud Run's request size is hard-limited to 32 MB, and candidates may overlook the need to offload uploads to a dedicated storage service like Cloud Storage.

How to eliminate wrong answers

Option A is wrong because Cloud Run enforces a 32 MB request size limit (configurable up to 32 MB), so uploading files directly to the container would fail for files up to 500 MB. Option B is wrong because Cloud Filestore is a network file system for GCE and GKE, not supported as a mounted volume in Cloud Run; Cloud Run only supports mounting Cloud Storage buckets via FUSE or NFS-like volumes. Option C is wrong because Cloud Functions also has a request size limit (10 MB for HTTP triggers), so using it as a proxy would still be constrained and adds unnecessary latency and complexity without solving the size limitation.

305
MCQeasy

A company runs a web application on Google Kubernetes Engine (GKE) that uses Cloud SQL for its database. The application is deployed via Cloud Build and uses a custom container image stored in Artifact Registry. Recently, the development team noticed that new deployments are failing with a 'CrashLoopBackOff' error in the pod logs. The logs indicate that the application cannot connect to the Cloud SQL instance. The application uses the Cloud SQL Proxy sidecar container to connect. The Cloud SQL Proxy configuration has not changed recently. The GKE cluster is in region us-central1, and the Cloud SQL instance is in us-central1 as well. The team verified that the Cloud SQL instance is running and accepting connections from authorized networks. They also confirmed that the service account used by the pod has the 'Cloud SQL Client' role. The application has been running stable for months until a recent GKE cluster upgrade. The deployment YAML uses environment variables for database connection. The Cloud SQL Proxy is deployed as a sidecar container with command: '/cloud_sql_proxy -instances=<instance-connection-name>=tcp:5432'. The pod logs show the proxy attempting to connect but timing out. The network team confirms that there are no firewall rules blocking the connection. The Cloud SQL instance has an authorized network entry for the GKE cluster's nodes' IP range. What is the most likely cause of the connection failure?

A.The Cloud SQL Proxy container is using an outdated version that is incompatible with the current Cloud SQL API.
B.The application is using a wrong database password in the connection string.
C.The pod's namespace does not have the Cloud SQL Proxy configuration correctly set up.
D.The Cloud SQL instance is configured with a private IP and the GKE cluster is VPC-native but the Cloud SQL Proxy is configured to connect via public IP.
AnswerD

The proxy defaults to public IP; with a private IP instance and no public IP, connection times out.

Why this answer

Option D is correct because the Cloud SQL Proxy sidecar is configured to connect via public IP (using the instance connection name without the `-private-ip` flag), but the Cloud SQL instance is configured with a private IP. Since the GKE cluster is VPC-native, the pod can reach the private IP within the VPC, but the proxy is attempting a public IP connection, which fails because the instance's authorized networks only include the GKE nodes' IP range (public IPs of nodes), not the pod's private IP range. The recent GKE cluster upgrade may have changed the node's public IP or networking configuration, exacerbating the mismatch.

Exam trap

Cisco often tests the distinction between public and private IP connectivity for Cloud SQL Proxy, where candidates assume the proxy automatically uses the correct IP based on the instance configuration, but it requires an explicit flag to use private IP.

How to eliminate wrong answers

Option A is wrong because the Cloud SQL Proxy version compatibility with the Cloud SQL API is not a common cause of timeout errors; the proxy uses the same SQL protocol and API version regardless of minor version changes. Option B is wrong because the error is a connection timeout, not an authentication failure; a wrong password would result in an 'access denied' error, not a timeout. Option C is wrong because the Cloud SQL Proxy configuration is defined in the pod spec, not at the namespace level; the proxy's command-line arguments are set in the container definition, and the namespace does not affect proxy connectivity.

306
MCQmedium

A team wants to monitor custom application metrics from a Compute Engine instance. They use the Cloud Monitoring agent. Which metric type should they use to report a gauge measurement like current memory usage?

A.histogram
B.delta
C.cumulative
D.gauge
AnswerD

Gauge metric type reports instantaneous values.

Why this answer

Option D is correct because a gauge metric type is specifically designed to report a value that can arbitrarily increase or decrease over time, such as current memory usage. The Cloud Monitoring agent supports gauge metrics for point-in-time measurements, and they are reported as a single data point without any aggregation window, making them ideal for snapshot-like observations.

Exam trap

Google Cloud often tests the distinction between metric types by presenting a scenario where a value can go up or down, and candidates mistakenly choose cumulative because they associate it with 'total usage' over time, forgetting that cumulative metrics must be monotonically increasing.

How to eliminate wrong answers

Option A is wrong because histogram metrics are used to capture the distribution of values over a time window (e.g., request latency percentiles), not a single instantaneous value like current memory usage. Option B is wrong because delta metrics represent the change in a value between two time points (e.g., requests per second), but current memory usage is not a rate or difference; it is an absolute snapshot. Option C is wrong because cumulative metrics monotonically increase over time (e.g., total bytes sent), and memory usage can decrease, which violates the monotonic property required for cumulative metrics.

307
MCQhard

A company has a monorepo with multiple services. They want to only build and test the services that have changed in a given commit. Which Cloud Build feature should they use?

A.Build triggers with filepath filters
B.Use a custom builder image
C.Build triggers with branch filters
D.Use Cloud Build substitutions
AnswerA

Filepath filters (included_files/ignored_files) limit the trigger to specific paths, enabling per-service builds.

Why this answer

Cloud Build triggers support filepath filters (also called 'included files' and 'ignored files'), which allow the trigger to fire only when changes occur in specific paths. This is ideal for monorepos. Branch filters are for branches, not files.

Substitutions are variables, not filtering. Custom builders don't provide this logic.

308
MCQmedium

A developer deploys a service on Cloud Run with a concurrency setting of 1. The service makes external API calls. Under heavy load, the service starts returning 503 errors. What is the most likely cause?

A.The container image is too large.
B.The Cloud Run service is hitting the maximum number of requests per second limit.
C.The API endpoint rate limits the requests.
D.Instance concurrency is too low causing request queuing and timeout.
AnswerD

Low concurrency forces many instances, potentially hitting max instances and causing 503s.

Why this answer

With concurrency=1, each instance handles one request at a time, so many requests cause many instances to spin up, possibly hitting max instances limit and causing 503s. Option C is correct. Option A doesn't cause 503s.

Option B is about quota, but concurrency is more direct. Option D is external.

309
MCQmedium

You are deploying a Node.js application on Cloud Run. The container image is stored in Artifact Registry. After deploying with gcloud run deploy, the revision fails with 'Container failed to start. Failed to start and then listen on the port defined by the PORT environment variable.' The application listens on port 8080 by default. The Dockerfile uses EXPOSE 8080. The Cloud Run service is configured with container port 8080. You have verified that the container starts locally using docker run -p 8080:8080. What is the most likely cause of the startup failure?

A.The application is hardcoded to listen on port 8080 but the Cloud Run environment variable PORT may override it to a different value.
B.The application is trying to bind to a privileged port.
C.The Cloud Run service is configured with container port 443 by default.
D.The container does not have a proper HEALTHCHECK instruction.
AnswerA

Cloud Run sets the PORT variable; the app must read it.

Why this answer

Option A is correct because Cloud Run sets the PORT environment variable to 8080 by default, but if the application is hardcoded to listen on 8080 instead of reading PORT, it may fail if the variable is not set or incorrect. Option B is wrong because the DEFAULT port variable is not used. Option C is wrong because the container port is set correctly.

Option D is wrong because port 8080 is not privileged.

310
MCQeasy

A company is designing a cloud-native application on Google Cloud that requires low-latency access to a global user base. The application serves static content and dynamic APIs. Which strategy best minimizes latency while maintaining high availability?

A.Deploy the application in a single region and use Cloud Interconnect for global access.
B.Use Cloud CDN to cache static content and deploy the API across multiple regions with global load balancing.
C.Use Cloud Armor to protect the application and rely on Google's backbone for low latency.
D.Store all content in Cloud Storage and serve directly from there.
AnswerB

Cloud CDN caches at edge locations, and multi-region deployment with global load balancing reduces latency for dynamic content.

Why this answer

Option B is correct because it combines Cloud CDN for caching static content at edge locations worldwide, reducing latency for static assets, and deploys the dynamic API across multiple regions with global load balancing (using Google Cloud's global external HTTP(S) load balancer) to route users to the nearest healthy backend, minimizing latency for dynamic requests while ensuring high availability through regional redundancy.

Exam trap

The trap here is that candidates may think Cloud Interconnect or Cloud Armor alone can solve global latency, overlooking the need for edge caching and multi-region deployment to reduce physical distance and provide redundancy.

How to eliminate wrong answers

Option A is wrong because deploying in a single region forces all traffic to traverse potentially long distances, and Cloud Interconnect provides dedicated connectivity to Google's network but does not reduce geographic latency for global users; it also creates a single point of failure. Option C is wrong because Cloud Armor provides DDoS protection and WAF capabilities but does not reduce latency; relying solely on Google's backbone does not address the need for edge caching or multi-region distribution. Option D is wrong because serving all content directly from Cloud Storage without a CDN or global load balancing results in higher latency for users far from the storage region, and Cloud Storage alone does not provide dynamic API serving or global traffic management.

311
MCQhard

A company runs a stateful application on Compute Engine with regional persistent disks. They want to achieve high availability with automatic failover in case of a zone failure. Which architecture meets these requirements?

A.Use Cloud Storage FUSE to mount a multi-regional bucket as a filesystem
B.Use standard persistent disks with scheduled snapshots to a multi-region bucket
C.Use zonal persistent disks with a managed instance group in a single zone
D.Use regional persistent disks with a managed instance group spanning two zones
AnswerD

Regional disks provide synchronous replication; instance group autohealing restarts VMs on failure.

Why this answer

Option D is correct because regional persistent disks synchronously replicate data across two zones, and when combined with a managed instance group (MIG) spanning those same two zones, the application can automatically fail over to the healthy zone if one zone fails. The MIG's autohealing and health-check mechanisms detect the failure and recreate instances in the surviving zone, while the regional PD remains accessible from either zone, ensuring high availability without manual intervention.

Exam trap

The trap here is that candidates confuse zonal persistent disks with regional persistent disks, or assume that snapshots (Option B) provide automatic failover, when in reality snapshots are for backup/DR and require manual recovery steps, not instant zone-failure recovery.

How to eliminate wrong answers

Option A is wrong because Cloud Storage FUSE mounts a multi-regional bucket as a filesystem, but Cloud Storage is an object store with eventual consistency (not POSIX-compliant), and it does not support synchronous replication or automatic failover for stateful applications requiring persistent disk semantics. Option B is wrong because standard persistent disks are zonal resources; scheduled snapshots to a multi-region bucket provide backup and disaster recovery, not automatic failover within minutes, and restoring from a snapshot requires manual or scripted steps, not instant failover. Option C is wrong because zonal persistent disks are tied to a single zone, and a managed instance group in a single zone cannot survive a zone failure—the instances and disks become unavailable simultaneously.

312
MCQeasy

A developer wants to run integration tests against a Cloud Spanner emulator in a local development environment. What is the best way to set up the emulator?

A.Use a mock library instead of an emulator.
B.Use the Cloud Spanner API directly without an emulator.
C.Run the Cloud Spanner emulator Docker container and set the SPANNER_EMULATOR_HOST environment variable.
D.Install the emulator using `gcloud emulators spanner start`.
AnswerC

Docker ensures a consistent environment and easy setup.

Why this answer

Option C is correct because running the Cloud Spanner emulator via Docker is the recommended approach for local development. Option A is also valid but Docker provides better consistency across environments. Option B is unsafe as it uses a production service.

Option D is for unit tests, not integration tests.

313
Multi-Selecteasy

Which TWO statements about building container images for Google Cloud Run are correct? (Choose TWO.)

Select 2 answers
A.The container must use HTTP/1.1; HTTP/2 is not supported.
B.The container must respond to health checks on the same port as the main application.
C.The container must be stateless and not rely on local file system persistence.
D.The container must listen on port 8080 by default.
E.The container must run as root user.
AnswersB, C

Health checks are sent to the container's port; the app must respond with 200 OK.

Why this answer

Option B is correct because Cloud Run requires the container to respond to health checks (e.g., HTTP GET /health) on the same port as the main application. Cloud Run uses the same port for both user requests and health check probes; if the health check fails, the container is restarted. This ensures the container is always ready to serve traffic.

Exam trap

Cisco often tests the misconception that Cloud Run mandates port 8080 or requires HTTP/1.1, but the actual requirement is that the container must respond to health checks on the same port as the main application and must be stateless.

314
MCQhard

You are a Cloud Developer working for an e-commerce company. The company uses Cloud Build to build and deploy a Python application to App Engine standard environment. The application uses Cloud SQL for its database. The team recently updated the application code and added a new dependency. The build succeeds, but the deployment fails with 'Error Response: [9] Application startup error!' You check the logs and see 'ImportError: No module named requests'. The team uses a requirements.txt file. However, the requirements.txt file has been configured correctly in the past. The team also uses a custom runtime config in app.yaml with a 'entrypoint' field. They did not change any configuration files. What is the most likely cause of this error?

A.The app.yaml file incorrectly specifies 'runtime: python27' but the code uses Python 3, and python27 does not automatically install dependencies from requirements.txt.
B.The custom entrypoint in app.yaml bypasses the automatic installation of dependencies.
C.The app.yaml file specifies 'runtime: python39' which is not supported by App Engine standard.
D.The requirements.txt file is missing from the deployment directory.
AnswerA

Python 2.7 runtime requires manually specifying libraries in app.yaml.

Why this answer

Option D is correct because App Engine standard environment uses the Python 3 runtime and does not install dependencies from requirements.txt automatically unless the runtime is Python 3 and the file is present. If the runtime is Python 2.7, it uses app.yaml to specify libraries. Given the error, likely the wrong runtime.

Option A is wrong because the file is present and hasn't changed. Option B is wrong because the entrypoint field doesn't affect dependency installation. Option C is wrong because there is no 'runtime: python39' field; it's 'python39' as a runtime value.

315
MCQhard

A company uses Cloud Build to build Docker images and push them to Artifact Registry. They want to ensure that only images built from a specific Cloud Build trigger are deployed to production. Which combination of steps should they implement?

A.Configure IAM roles to restrict push access to Artifact Registry
B.Configure Binary Authorization with a policy requiring attestation from Cloud Build
C.Use Cloud Deploy with a manual approval gate
D.Use Cloud Build's built-in approval mechanism
AnswerB

Binary Authorization can enforce that only images with a valid attestation from Cloud Build are deployed.

Why this answer

Binary Authorization allows attestations that enforce only images built by a specific process (e.g., via Cloud Build) can be deployed. Other options do not tie the deployment to the build source.

316
MCQmedium

A company uses Cloud Build for CI/CD. They need to deploy a containerized app to Cloud Run automatically on every push to the main branch. Which Cloud Build configuration step is necessary?

A.Add a step to build the container with Dockerfile.
B.Add a step to run 'gcloud run deploy' command.
C.Add a step to push the image to Artifact Registry only.
D.Add a step to run unit tests.
AnswerB

This step performs the deployment to Cloud Run.

Why this answer

Option B is correct because Cloud Build requires an explicit step to run the `gcloud run deploy` command in order to trigger a deployment to Cloud Run. While Cloud Build can build and push images, it does not automatically deploy to Cloud Run unless a deploy step is included in the build configuration. This step uses the built image (from Artifact Registry) and deploys it as a new revision to the specified Cloud Run service.

Exam trap

Cisco often tests the misconception that pushing an image to a registry automatically triggers a deployment, but in Cloud Build, each deployment must be explicitly commanded via a deploy step like `gcloud run deploy`.

How to eliminate wrong answers

Option A is wrong because building the container with a Dockerfile is necessary for creating the image, but it is not the step that deploys the app to Cloud Run; deployment requires an explicit deploy command. Option C is wrong because pushing the image to Artifact Registry only stores the image; it does not trigger a deployment to Cloud Run, which requires a separate deploy step. Option D is wrong because running unit tests is a quality assurance step that is optional and does not directly cause a deployment to Cloud Run.

317
MCQhard

A DevOps team is designing a CI/CD pipeline for a microservices application deployed on Google Kubernetes Engine (GKE). They want to automatically build and deploy each service when a new tag is pushed to its repository. They also need to run integration tests against a staging environment before promoting to production. Which service should they use to orchestrate the pipeline?

A.Deployment Manager with a template
B.Cloud Deploy with a delivery pipeline
C.Cloud Build with a build trigger on tag push
D.Cloud Run with continuous deployment
AnswerC

Cloud Build can be triggered by a tag push, build the container, and deploy to GKE. It also supports running tests.

Why this answer

Cloud Build with a build trigger on tag push is the correct choice because it natively supports event-driven pipelines triggered by Git tags, enabling automatic build and deployment of each microservice. Combined with Cloud Build's ability to run integration tests in a staging environment and then promote to production, it provides a complete CI/CD solution for GKE without additional orchestration services.

Exam trap

Google Cloud often tests the distinction between CI/CD orchestration (Cloud Build) and delivery/rollout management (Cloud Deploy), leading candidates to choose Cloud Deploy because it sounds like a pipeline orchestrator, but it requires an external CI trigger to start the process.

How to eliminate wrong answers

Option A is wrong because Deployment Manager is an infrastructure-as-code tool for provisioning GCP resources, not a CI/CD pipeline orchestrator; it cannot trigger builds or deployments based on Git tag pushes. Option B is wrong because Cloud Deploy is a continuous delivery service that manages rollout strategies (e.g., canary, blue/green) but relies on an external CI system like Cloud Build to trigger the pipeline; it does not natively handle build triggers on tag push. Option D is wrong because Cloud Run with continuous deployment is designed for serverless container deployments, not for orchestrating multi-service CI/CD pipelines on GKE, and it lacks native support for tag-based triggers and staging-to-production promotion workflows.

318
MCQmedium

A developer runs the command shown in the exhibit. They need to ensure that the application running on instance-3 can be restored quickly if it fails. What should they do?

A.Add instance-3 to an unmanaged instance group.
B.Configure Cloud DNS with a health check pointing to instance-3.
C.Create a managed instance group using an instance template based on instance-3's boot disk.
D.Take a snapshot of instance-3's disk and use it to create a new instance manually.
AnswerC

Managed instance groups automatically recreate failed instances.

Why this answer

Option C is correct because a managed instance group (MIG) with an instance template based on instance-3's boot disk provides automated health checking, auto-healing, and managed instance replacement. If instance-3 fails, the MIG automatically recreates it from the template, ensuring rapid restoration without manual intervention. This aligns with the goal of designing highly available and reliable applications on Google Cloud.

Exam trap

Cisco often tests the distinction between health-check-based traffic routing (Cloud DNS) and health-check-based instance recovery (MIG auto-healing), leading candidates to confuse DNS failover with automated instance restoration.

How to eliminate wrong answers

Option A is wrong because an unmanaged instance group does not provide auto-healing or automated instance replacement; it is a static collection of instances that must be managed manually, so it cannot restore instance-3 quickly on failure. Option B is wrong because Cloud DNS with a health check only routes traffic away from an unhealthy instance but does not recreate or restore the instance itself; it is a traffic management solution, not a recovery mechanism. Option D is wrong because taking a snapshot and manually creating a new instance is a manual, slow process that does not meet the requirement for rapid, automated restoration; it lacks the automation and health-based recovery of a managed instance group.

319
MCQeasy

A company is deploying a static website on Cloud Storage with a custom domain. They want to serve the website over HTTPS. They have created a bucket with the same name as the domain and uploaded the files. They have verified the domain ownership in Search Console and added the bucket as a CNAME record in their DNS. Users report that when they navigate to the domain, they get a 404 error. The company has verified that the bucket's main page suffix is set to index.html. The team is confident the files are uploaded correctly. They need to resolve the 404 error and serve the site over HTTPS. What should they do?

A.Create a Cloud Load Balancer with the bucket as backend and update DNS.
B.Add a DNS A record pointing to the load balancer IP instead of a CNAME.
C.Enable Cloud CDN on the bucket.
D.Set the bucket's default object ACL to public read.
AnswerA

A Cloud Load Balancer provides SSL termination and a static IP for custom domains.

Why this answer

Option C is correct because to serve a static website on Cloud Storage with a custom domain and HTTPS, you must use a Cloud Load Balancer (HTTP(S) LB) with the bucket as the backend, and then point your DNS to the load balancer's IP address. Option A is incorrect because you cannot point an A record directly to a bucket; Cloud Storage does not provide a static IP. Option B is incorrect because Cloud CDN improves performance but does not enable HTTPS for a custom domain.

Option D is incorrect because setting public ACLs is not sufficient for HTTPS; you still need a load balancer for SSL termination.

320
MCQmedium

You are configuring a Cloud Monitoring alerting policy for a Cloud Run service. The service has a maximum of 10 concurrent requests per instance. You want to be alerted when the average number of concurrent requests per instance exceeds 8 for at least 1 minute. Which metric and condition type should you use?

A.Metric: run.googleapis.com/request_count, Condition type: Metric Threshold, Threshold: >8
B.Metric: run.googleapis.com/request_count, Condition type: Metric Absence, Duration: 1 min
C.Metric: resource/container/cpu/utilization, Condition type: Metric Threshold, Threshold: >80%
D.Metric: run.googleapis.com/request_count, Condition type: Change Rate, Threshold: >0.5
AnswerA

This metric measures active requests; threshold condition works for sustained high concurrency.

Why this answer

Option A is correct because the `run.googleapis.com/request_count` metric tracks the number of concurrent requests per instance, which directly matches the requirement. A Metric Threshold condition with a threshold of >8 triggers an alert when the average exceeds 8 for at least 1 minute, aligning with the specified criteria.

Exam trap

Cisco often tests the distinction between metric types and condition types, where candidates confuse Metric Threshold (for sustained high values) with Change Rate (for sudden spikes) or Metric Absence (for missing data), leading to incorrect selections.

How to eliminate wrong answers

Option B is wrong because Metric Absence triggers when data is missing, not when a value exceeds a threshold; it would alert if the metric stops reporting, not when concurrent requests are high. Option C is wrong because `resource/container/cpu/utilization` measures CPU usage, not concurrent requests, and the threshold of 80% is unrelated to the request count. Option D is wrong because Change Rate detects sudden increases or decreases in the metric value, not a sustained high level; it would alert on a spike of >0.5 requests per minute, not when the average exceeds 8.

321
Multi-Selecteasy

A company is designing a globally distributed application using Cloud Spanner. The application requires strong consistency and the ability to handle high read/write throughput. The team is concerned about inter-continental latency. Which two design choices would optimize performance while maintaining strong consistency? (Choose two.)

Select 2 answers
A.Enable leader-optimized routing to direct reads to the nearest leader region.
B.Use read-only replicas in each continent to serve reads locally.
C.Place a multi-region Spanner instance in geographic locations close to users.
D.Implement client-side caching with a short TTL for frequently accessed data.
E.Increase the number of nodes in the Spanner instance to improve throughput.
AnswersA, C

Leader-optimized routing reduces read latency while maintaining strong consistency.

Why this answer

A is correct because leader-optimized routing directs read requests to the nearest region that contains the leader replica for the requested data, reducing inter-continental latency while still reading from the leader to ensure strong consistency. C is correct because placing a multi-region Spanner instance in geographic locations close to users minimizes network round-trip time, and Spanner's synchronous replication across regions maintains strong consistency even with high read/write throughput.

Exam trap

Cisco often tests the misconception that read-only replicas or caching can provide strong consistency, but in Spanner, only leader replicas guarantee strong consistency, and any form of caching or stale replica reads breaks that guarantee.

322
MCQmedium

A company is migrating a legacy monolithic application to Google Cloud. They want to minimize code changes and operational overhead while improving scalability. The application currently uses a relational database and stores user-uploaded images on a local filesystem. Which combination of Google Cloud services should they use?

A.Cloud Spanner for the database and Cloud Storage for images
B.Cloud Firestore for the database and Cloud Storage with Cloud CDN for images
C.Cloud SQL for the database and Cloud Storage with Cloud CDN for images
D.Compute Engine with attached SSD persistent disks for both database and images
AnswerC

Cloud SQL provides a managed relational database with minimal changes, and Cloud Storage with CDN serves images efficiently at scale.

Why this answer

Option C is correct because Cloud SQL provides a fully managed relational database that requires minimal code changes when migrating from an existing relational database, while Cloud Storage with Cloud CDN handles user-uploaded images with scalable object storage and low-latency content delivery. This combination minimizes operational overhead by eliminating the need to manage database servers or file servers, and improves scalability through automatic replication and global edge caching.

Exam trap

Google Cloud often tests the misconception that any fully managed database (like Spanner or Firestore) is suitable for a legacy relational migration, but the trap here is that candidates overlook the requirement to minimize code changes and choose a NoSQL or globally distributed database that forces significant application rewrites.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner is a globally distributed, horizontally scalable database designed for high-availability and strong consistency across regions, which introduces unnecessary complexity and cost for a legacy application that likely does not require global scale; it also requires significant code changes to adapt to Spanner's specific SQL dialect and consistency model. Option B is wrong because Cloud Firestore is a NoSQL document database that does not support relational queries, joins, or ACID transactions in the same way as a traditional relational database, forcing major application rewrites. Option D is wrong because Compute Engine with attached SSD persistent disks requires manual management of database software, backups, and failover, and does not provide the scalability or operational simplicity of managed services; it also lacks a CDN for image delivery, leading to higher latency and operational overhead.

323
MCQeasy

A developer needs to view detailed performance profiles of a Java application running on Compute Engine to identify CPU hotspots. Which Google Cloud service should they use?

A.Cloud Monitoring
B.Cloud Trace
C.Cloud Profiler
D.Cloud Logging
AnswerC

Correct: Cloud Profiler is designed to capture and analyze performance profiles.

Why this answer

Cloud Profiler is the correct service because it provides continuous, low-overhead CPU and heap profiling for Java applications running on Compute Engine. It uses statistical sampling to identify which methods consume the most CPU time, enabling developers to pinpoint hotspots without requiring code changes or redeployment.

Exam trap

The trap here is that candidates confuse Cloud Trace (distributed tracing for latency) with Cloud Profiler (CPU/memory profiling), because both deal with 'performance' but at different granularities—Trace shows request paths, while Profiler shows method-level CPU consumption.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring collects metrics, uptime checks, and alerting policies but does not provide method-level CPU profiling or flame graphs to identify code hotspots. Option B is wrong because Cloud Trace focuses on latency analysis of request paths and distributed tracing, not on CPU usage per method or function. Option D is wrong because Cloud Logging aggregates and stores log entries for debugging and auditing, but it lacks the profiling agent and sampling engine needed to capture CPU call stacks.

324
MCQhard

A company uses Cloud Logging to centralize logs from multiple projects. They want to create a log-based metric for tracking 404 errors. However, the metric shows zero data even though 404 errors are occurring. What is the most likely reason?

A.The metric filter uses the wrong resource type
B.The metric is sampled and not all logs are considered
C.The logs are not being exported to Cloud Logging
D.The logs are being excluded by an exclusion filter before the metric is applied
AnswerD

Exclusion filters remove logs before metric ingestion.

Why this answer

Option D is correct because log-based metrics are computed from logs that have passed through all exclusion filters. If an exclusion filter is configured to discard logs matching certain criteria (e.g., all HTTP 4xx responses), those logs are never evaluated by the metric filter, causing the metric to show zero data even though 404 errors are occurring. Exclusion filters are applied before log-based metric evaluation in Cloud Logging.

Exam trap

Cisco often tests the order of operations in the Cloud Logging pipeline, specifically that exclusion filters are applied before log-based metrics, leading candidates to mistakenly blame export or sampling issues instead.

How to eliminate wrong answers

Option A is wrong because the resource type in the metric filter only affects how logs are grouped or labeled, not whether they are included in the metric; a mismatched resource type would not cause zero data if the logs themselves are present. Option B is wrong because Cloud Logging does not sample logs for log-based metrics; all ingested logs are evaluated against metric filters unless excluded. Option C is wrong because the question states the company uses Cloud Logging to centralize logs, meaning logs are already being sent to Cloud Logging; the issue is not about export but about processing within the logging pipeline.

325
MCQmedium

You are a Cloud Developer at a fintech company. Your team has developed a Node.js application that processes real-time financial transactions. The application is deployed on Cloud Run and uses Cloud Pub/Sub to receive transaction messages. The application must have high availability and low latency. Recently, the team noticed that during peak hours, the application experiences increased latency and some messages are not processed within the required 10-minute SLA. The team has configured Cloud Run with a minimum of 5 instances and a maximum of 50, with a concurrency setting of 80. The CPU usage per instance rarely exceeds 40% during peak times. The team also uses Cloud Monitoring and Logging for observability. After analyzing the logs, you find that the message processing time increases due to a database call that often takes 2-3 seconds. The Pub/Sub subscription is configured with a delivery deadline of 10 minutes. What should you recommend to reduce latency and ensure messages are processed within SLA?

A.Increase the concurrency setting to 200 to allow each instance to handle more requests simultaneously, reducing queuing.
B.Migrate the application to GKE with Horizontal Pod Autoscaler to scale based on custom metrics.
C.Increase the CPU limit per container to 2 CPUs to speed up database call.
D.Increase the minimum number of instances to 50 to ensure capacity during peak hours.
AnswerA

Higher concurrency fully utilizes instance capacity.

Why this answer

Increasing the concurrency setting to 200 allows each Cloud Run instance to handle more requests simultaneously, which reduces the queuing delay caused by the 2-3 second database call. Since CPU usage is only 40%, the instances have headroom to process additional concurrent requests without being CPU-bound, directly addressing the latency issue within the 10-minute SLA.

Exam trap

The trap here is that candidates assume low CPU usage means the application is not busy, when in fact the bottleneck is I/O wait from the database call, and increasing concurrency allows the instance to handle more work during those I/O waits.

How to eliminate wrong answers

Option B is wrong because migrating to GKE adds operational complexity and is unnecessary; Cloud Run already scales automatically and the issue is concurrency, not scaling logic. Option C is wrong because increasing CPU limits does not speed up the database call itself—the bottleneck is the external database latency, not local CPU processing. Option D is wrong because increasing the minimum instances to 50 would waste resources and increase cost; the current minimum of 5 is sufficient since CPU usage is low, and the real problem is that each instance is underutilized due to low concurrency.

326
MCQmedium

A Cloud Run service is experiencing intermittent high latency. The team has enabled Cloud Trace. They want to identify the root cause by analyzing traces. What should they look for in the Trace viewer?

A.High container CPU usage
B.Large number of concurrent requests
C.Frequent log entries with 'WARNING'
D.Spans with high latency and error status
AnswerD

High-latency spans pinpoint bottlenecks; errors indicate failures.

Why this answer

In Cloud Trace, the root cause of intermittent high latency is identified by examining spans—the fundamental units representing work in a distributed system. Spans with high latency directly indicate where time is being spent, and an error status (e.g., HTTP 5xx or gRPC error codes) pinpoints a failure that could be causing retries or blocking, leading to the observed latency. This combination is the most direct signal for root cause analysis in trace data.

Exam trap

Cisco often tests the distinction between metrics (like CPU usage) and trace data (like spans), leading candidates to confuse operational monitoring signals with the specific diagnostic tools available in Cloud Trace.

How to eliminate wrong answers

Option A is wrong because container CPU usage is a metric, not a trace attribute; Cloud Trace analyzes request-level spans, not resource utilization, which is monitored via Cloud Monitoring. Option B is wrong because a large number of concurrent requests is a symptom or contributing factor, not a root cause identifiable from a single trace; traces show individual request paths, not aggregate concurrency. Option C is wrong because frequent log entries with 'WARNING' are log-based signals, not trace data; Cloud Trace focuses on span timing and status, and warnings may correlate with but do not directly indicate the root cause of latency in a trace.

327
MCQeasy

Refer to the exhibit. The Cloud Build fails with an error that the image name is invalid. What is the most likely cause?

A.The push step should be after the deploy step.
B.The substitution variable $MY_PROJECT is not a valid substitution because it is not prefixed with underscore.
C.The Docker build step fails because the Dockerfile is missing.
D.The image name contains uppercase letters that are not allowed.
AnswerB

User-defined substitutions must start with underscore; $MY_PROJECT is not valid.

Why this answer

Option B is correct because Cloud Build substitutions must start with an underscore (e.g., $_MY_PROJECT). Option A is unrelated. Option C is false.

Option D is wrong order.

328
MCQhard

Refer to the exhibit. A team is deploying a Cloud Function that needs to connect to a Cloud SQL instance in a VPC. They have set up a VPC connector. After deployment, the function fails to connect to the database. What is the most likely cause?

A.The VPC connector is in a different region than the function
B.The function's service account does not have permissions to use the VPC connector
C.The environment variable DB_HOST is misspelled
D.The database firewall rules do not allow traffic from the VPC connector's subnet
AnswerA

The VPC connector and Cloud Function must be in the same region.

Why this answer

Option A is correct because the VPC connector must be in the same region as the Cloud Function. If they are in different regions, the function cannot use the connector. Option B is less likely because Cloud SQL private IP uses VPC peering, not firewall rules.

Option C is possible but usually the default service account has the necessary permissions. Option D is a possible typo but less likely given the exhibit shows 'DB_HOST'.

329
Multi-Selecthard

Which THREE are valid methods to create custom metrics in Cloud Monitoring?

Select 3 answers
A.Using the Cloud Monitoring API to write metric points.
B.Using the OpenTelemetry Collector to export metrics.
C.Using Cloud Console's Metrics Explorer to manually enter data.
D.Creating a log-based metric from Cloud Logging.
E.Using Cloud Functions to emit metrics via Stackdriver Monitoring API.
AnswersA, B, D

The monitoring API allows programmatic ingestion of custom metric data points, a standard approach for custom metrics.

Why this answer

Option A is correct because the Cloud Monitoring API allows you to write custom metric points directly using the `projects.timeSeries.create` method. This enables you to define your own metric descriptors and send time-series data to Cloud Monitoring, which is a fundamental way to create custom metrics.

Exam trap

The trap here is that candidates may think Metrics Explorer (option C) can create custom metrics because it allows you to chart data, but it is purely a query interface and cannot ingest new data.

330
MCQhard

A company has a multi-region deployment of their application on GKE. They need to monitor service-level indicators (SLIs) like availability and latency across regions. They want a single pane of glass to view SLO compliance. What should they use?

A.Cloud Logging with log-based metrics
B.Cloud Profiler cross-region profiles
C.Cloud Monitoring SLO monitoring
D.Cloud Trace multi-region traces
AnswerC

SLO monitoring is specifically designed for tracking compliance with service-level objectives.

Why this answer

Cloud Monitoring SLO monitoring is the correct choice because it provides a unified dashboard (single pane of glass) to define, track, and visualize service-level indicators (SLIs) such as availability and latency across multiple GKE regions. It allows you to set SLO targets, monitor compliance over time, and receive alerts when the error budget is depleted, all within a single monitoring view.

Exam trap

Cisco often tests the distinction between monitoring tools (Cloud Monitoring) and debugging tools (Cloud Trace, Cloud Profiler), so the trap here is that candidates may confuse Cloud Trace's latency traces with the ability to monitor SLO compliance, or think Cloud Logging's log-based metrics can replace the dedicated SLO dashboard.

How to eliminate wrong answers

Option A is wrong because Cloud Logging with log-based metrics is used to extract metrics from log entries (e.g., count of errors), but it does not natively provide SLO compliance dashboards or a cross-region aggregated view of SLIs; it lacks the built-in SLO tracking and error budget management. Option B is wrong because Cloud Profiler is a continuous profiling tool that identifies performance bottlenecks (CPU, memory) in code, not a monitoring tool for SLIs like availability or latency across regions; it does not offer SLO compliance dashboards. Option D is wrong because Cloud Trace is a distributed tracing system that captures latency data for individual requests, but it does not aggregate SLIs or provide SLO compliance views; it focuses on request-level traces, not high-level SLO dashboards.

331
MCQmedium

A team is using Cloud Spanner for a global application. They notice that read latency is high for queries that filter on a non-key column. The table has a primary key of (CustomerID, OrderDate) and there are millions of rows. The query uses a WHERE clause on the 'Status' column. The team wants to reduce latency without significantly increasing storage costs. What is the most effective action?

A.Create an interleaved table for 'Status' values.
B.Create a secondary index on the 'Status' column.
C.Increase the number of nodes in the Spanner instance.
D.Use stale reads with a 15-second staleness.
AnswerB

A secondary index enables index scans on 'Status', drastically reducing read latency.

Why this answer

Creating a secondary index on the 'Status' column (Option B) allows Cloud Spanner to directly locate rows matching the filter without scanning the entire table. This reduces read latency because Spanner can use the index to perform a point lookup or small range scan instead of a full table scan. Indexes in Spanner are stored as separate tables, but they add minimal storage overhead compared to the latency improvement they provide.

Exam trap

Cisco often tests the misconception that scaling nodes or using stale reads can fix query performance issues caused by missing indexes, but the correct solution is always to optimize the data access pattern with an appropriate index.

How to eliminate wrong answers

Option A is wrong because an interleaved table is designed to store child rows physically co-located with a parent row, which helps for hierarchical queries but does not help with filtering on a non-key column like 'Status'; it would increase storage costs without addressing the query pattern. Option C is wrong because increasing the number of nodes improves throughput and capacity but does not directly reduce latency for a specific query that requires scanning many rows; it is a costly scaling measure that does not fix the root cause. Option D is wrong because stale reads reduce latency by reading from replicas with slightly outdated data, but they do not eliminate the need to scan the entire table; the query still suffers from high latency due to the full scan, and staleness introduces data freshness trade-offs.

332
Multi-Selectmedium

Which two strategies should be implemented to ensure high availability for a Compute Engine instance group running a stateless web application?

Select 2 answers
A.Use preemptible VMs
B.Use regional managed instance group
C.Use global load balancing
D.Use instance templates
E.Use multi-zone deployment
AnswersB, E

Regional MIG distributes instances across zones for automatic failover.

Why this answer

Regional managed instance groups (MIGs) distribute instances across multiple zones within a region, providing automatic healing and high availability by recovering from zone failures. Combined with a global load balancer, they ensure traffic is routed only to healthy instances, making them ideal for stateless web applications that require resilience against zonal outages.

Exam trap

Cisco often tests the misconception that global load balancing alone provides high availability, but it only distributes traffic; the underlying compute resources must be resilient, which requires a regional MIG or multi-zone deployment to survive zone failures.

333
MCQhard

A company uses Cloud Spanner for a financial application. They need to ensure strong global consistency but also minimize latency for writes. What schema design should they use?

A.Use secondary indexes
B.Use commit timestamps
C.Use parent-child table relationships with interleaved tables
D.Use a single table with interleaved indexes
AnswerC

Interleaving allows co-location of related rows, reducing write latency.

Why this answer

Option C is correct because interleaved tables in Cloud Spanner physically co-locate parent and child rows on the same split, reducing cross-node coordination for strongly consistent reads and writes. This minimizes write latency by ensuring that related data is stored together, avoiding distributed transaction overhead for operations that span parent-child relationships.

Exam trap

The trap here is that candidates confuse interleaved tables with secondary indexes or commit timestamps, thinking those features directly reduce write latency, when in fact only physical co-location through interleaved tables achieves that goal in a globally consistent system.

How to eliminate wrong answers

Option A is wrong because secondary indexes do not affect write latency or consistency; they are used for query performance and can actually increase write latency due to index maintenance. Option B is wrong because commit timestamps are a feature for ordering and tracking writes, not a schema design that reduces latency or ensures global consistency. Option D is wrong because a single table with interleaved indexes is not a valid schema design; interleaved indexes are not a concept in Cloud Spanner—the correct term is interleaved tables, and a single table cannot leverage co-location benefits.

334
MCQmedium

A developer is using Cloud Logging and wants to export logs from a specific project to BigQuery for long-term analysis. They have created a log sink and given the appropriate permissions, but logs are not appearing in BigQuery. What is the most likely cause?

A.The sink's filter is too restrictive and no logs match.
B.The sink's destination BigQuery dataset is in a different region than the logs.
C.The log entries are not in JSON format.
D.The service account used for the sink does not have the 'bigquery.dataEditor' role.
AnswerD

Correct: the sink's writer identity must have write access to the BigQuery dataset.

Why this answer

Option D is correct because the log sink uses a service account to write logs to BigQuery. Even if the sink is configured correctly, the service account must have the 'bigquery.dataEditor' role on the destination dataset to insert log entries. Without this role, the sink will fail silently, and logs will not appear in BigQuery.

Exam trap

Cisco often tests the misconception that simply creating a sink and granting project-level permissions is sufficient, when in fact the service account needs explicit dataset-level 'bigquery.dataEditor' role.

How to eliminate wrong answers

Option A is wrong because if the filter were too restrictive, no logs would match, but the question states logs are not appearing, not that no logs are generated; a restrictive filter would still show matching logs if any exist. Option B is wrong because BigQuery datasets can receive logs from any region; cross-region log exports are supported, though they may incur additional costs, but they do not prevent logs from appearing. Option C is wrong because Cloud Logging automatically converts log entries to JSON format when exporting to BigQuery; the original log format does not affect the export.

335
MCQhard

A developer is debugging a Cloud Function that fails with a timeout. The function makes multiple synchronous external API calls. What is the best way to improve performance and avoid timeouts?

A.Increase the timeout of the Cloud Function to the maximum of 9 minutes.
B.Use Firestore transactions to batch API calls.
C.Use Pub/Sub to trigger another function for each API call.
D.Use Cloud Tasks to offload the API calls asynchronously.
AnswerD

Cloud Tasks allows the function to return quickly and processes requests later.

Why this answer

Cloud Tasks is the best choice because it allows you to offload synchronous external API calls to be executed asynchronously, decoupling the Cloud Function from the slow external services. This prevents the function from timing out while waiting for responses, and Cloud Tasks handles retries and scheduling automatically, improving overall reliability and performance.

Exam trap

Cisco often tests the misconception that increasing timeout or using Pub/Sub is the correct solution for synchronous blocking operations, but the key is to use a dedicated task queue service like Cloud Tasks that provides asynchronous execution with built-in retry and decoupling.

How to eliminate wrong answers

Option A is wrong because simply increasing the timeout to the maximum of 9 minutes does not address the root cause—the function is still blocking on synchronous API calls, which could still exceed even the maximum timeout and waste resources. Option B is wrong because Firestore transactions are designed for atomic database operations, not for batching external API calls; they cannot make HTTP requests or improve the performance of external API calls. Option C is wrong because using Pub/Sub to trigger another function for each API call introduces unnecessary complexity and latency; Pub/Sub is a message queue for event-driven architectures, not designed for offloading synchronous tasks with retry logic like Cloud Tasks.

336
MCQeasy

A company uses Cloud Monitoring to set up an alerting policy for CPU utilization on Compute Engine instances. They want to be notified when average CPU usage exceeds 80% for 5 minutes. Which threshold type should they use?

A.Forecast
B.Change rate
C.Threshold
D.Metric absence
AnswerC

Threshold alert fires when metric crosses a set value for a duration.

Why this answer

Option C is correct because a Threshold alerting policy in Cloud Monitoring triggers when a metric's value crosses a defined static boundary. For this use case, setting a threshold of 80% with a duration of 5 minutes directly matches the requirement to alert when average CPU usage exceeds 80% for that period.

Exam trap

Google Cloud often tests the distinction between alerting on a sustained level (Threshold) versus alerting on a change (Change rate) or a prediction (Forecast), and candidates confuse 'average over time' with 'rate of change'.

How to eliminate wrong answers

Option A is wrong because Forecast alerting uses machine learning to predict future metric values and alert when the forecast crosses a threshold, not for monitoring current or historical average CPU usage. Option B is wrong because Change rate alerting detects sudden increases or decreases in a metric's value over a window, not a sustained level above a fixed percentage. Option D is wrong because Metric absence alerts fire when a metric stops reporting data, which is unrelated to monitoring CPU usage exceeding a threshold.

337
MCQeasy

A developer is deploying a 2nd gen Cloud Function that needs to connect to a Cloud SQL MySQL instance. The Cloud SQL instance is configured with a private IP only. The Cloud Function is deployed with a VPC connector that is connected to the same VPC network as the Cloud SQL instance. The developer has granted the Cloud Function's service account the Cloud SQL Client role. However, when the function is invoked, connection attempts to the Cloud SQL instance time out. The Cloud Function code uses the MySQL connector with the private IP address of the Cloud SQL instance. The developer has verified that the VPC connector is healthy and that the Cloud SQL instance is running. Which additional configuration is most likely required?

A.Modify the connection string to require SSL/TLS.
B.Deploy the Cloud SQL Auth proxy as an additional container in the Cloud Function.
C.Configure Private Services Access to establish a VPC peering between the VPC network and the Cloud SQL service network.
D.Assign a public IP to the Cloud SQL instance and configure the function to use it.
AnswerC

Private Services Access creates the necessary route for the VPC connector to reach the Cloud SQL private IP range.

Why this answer

Option A is correct. Even though the VPC connector is on the same VPC network as Cloud SQL, the Cloud SQL private IP address is allocated from a private services access range that is not automatically routed. You must set up Private Services Access to create a route from the VPC to the Cloud SQL private IP range.

Without this, traffic from the VPC connector cannot reach the Cloud SQL instance. Option B is incorrect because the Cloud Function is using a VPC connector, so it does not need or use a public IP. Option C is incorrect because the Cloud SQL Auth proxy is not needed for private IP connections.

Option D is incorrect because SSL/TLS configuration would cause a TLS handshake error, not a timeout.

338
MCQhard

A Cloud Function (background function, event-driven) consistently logs this timeout error. The function processes messages from Pub/Sub. After increasing the max instances from 10 to 100, the error rate increases. What is the most likely cause of the timeouts?

A.The function depends on an external service that is rate-limited; scaling up causes more calls and timeouts
B.Increase memory allocation to speed up processing
C.Use a larger instance type (Cloud Functions does not have instance types)
D.Migrate the function to Cloud Run for longer timeouts
E.The function timeout is set too low; increase it to 9 minutes
AnswerA

With more instances, more concurrent calls to the external service may exceed its rate limit, causing timeouts.

Why this answer

Option A is correct because increasing the max instances from 10 to 100 amplifies the number of concurrent function invocations. If the function depends on an external service (e.g., a third-party API or database) that enforces rate limits, the higher concurrency causes more requests to be throttled or rejected, leading to increased timeouts. This is a classic scaling anti-pattern where horizontal scaling exacerbates a bottleneck instead of relieving it.

Exam trap

Cisco often tests the misconception that scaling up instances always improves performance, when in reality it can worsen timeouts if the bottleneck is an external dependency with fixed capacity or rate limits.

How to eliminate wrong answers

Option B is wrong because increasing memory allocation primarily improves CPU performance and reduces cold starts, but does not address timeouts caused by external rate limiting or downstream dependencies. Option C is wrong because Cloud Functions does not support selecting instance types; it uses a serverless model where resources are allocated automatically based on memory setting. Option D is wrong because migrating to Cloud Run does not inherently resolve timeouts caused by external rate limiting; Cloud Run also has a default request timeout of 300 seconds (configurable up to 60 minutes), but the core issue is downstream throttling, not the platform's timeout limit.

Option E is wrong because increasing the function timeout (max 9 minutes for Cloud Functions 1st gen) would only delay the timeout error; if the external service is rate-limiting requests, the function will still fail after waiting longer, and the error rate will remain high or worsen.

339
Multi-Selectmedium

Which THREE metrics are commonly used to create a Service Level Indicator (SLI) for availability of an HTTP-based service?

Select 3 answers
A.Uptime check success rate
B.CPU utilization
C.Error rate (5xx responses)
D.Request latency
E.Request count
AnswersA, C, D

Uptime checks measure whether the service is reachable and responding.

Why this answer

Uptime check success rate directly measures whether the service is reachable and responding, typically via periodic HTTP probes (e.g., GET /health). A successful response (e.g., HTTP 200) indicates availability, while failures (timeouts, connection errors) indicate unavailability. This is a standard SLI for availability in HTTP-based services.

Exam trap

Cisco often tests the distinction between availability SLIs (uptime, error rate) and performance SLIs (latency, throughput), so candidates mistakenly include CPU utilization or request count as availability metrics.

340
Multi-Selectmedium

Which TWO are best practices for setting up Cloud Monitoring alerting policies to minimize alert fatigue? (Select exactly 2.)

Select 2 answers
A.Aggregate metrics across all projects before alerting.
B.Use condition thresholds with an 'AND' combination of multiple metrics.
C.Use log-based metrics for all alerts instead of metric-based alerts.
D.Create a separate alerting policy for each possible symptom.
E.Set the 'for' parameter to a duration longer than typical transient spikes.
AnswersB, E

Requires both conditions to be true reduces noise.

Why this answer

Using multiple conditions with AND logic reduces false positives. Setting 'for' duration prevents transient spikes from alerting. Aggregating across projects first is not best practice; it's better to alert per project.

Using log-based metrics for everything is not always appropriate. Synthetic monitors are for availability, not general alerting.

341
MCQhard

A company uses GKE with cluster autoscaling and node auto-upgrade. During a traffic spike, new pods are unschedulable even though the cluster autoscaler adds nodes. What is the most likely cause?

A.The pods have resource requests that exceed available node capacity
B.The cluster autoscaler is disabled
C.The node pool has reached its maximum size limit
D.The pods have tolerations that don't match node taints
E.The nodes are in unhealthy status
AnswerD

Newly added nodes may have taints (e.g., from node auto-upgrade) that the pods do not tolerate, preventing scheduling.

Why this answer

Option D is correct because if pods have tolerations that do not match the taints on the nodes, the scheduler will not place them on those nodes, even if the cluster autoscaler has added new nodes. This mismatch prevents scheduling, leading to unschedulable pods despite sufficient node capacity.

Exam trap

Cisco often tests the distinction between resource-based scheduling failures (like insufficient capacity) and policy-based scheduling failures (like taint/toleration mismatches), where candidates mistakenly assume that adding nodes always solves unschedulable pods.

How to eliminate wrong answers

Option A is wrong because resource requests exceeding node capacity would cause the cluster autoscaler to add more nodes, but the question states new nodes are added; the issue is scheduling, not capacity. Option B is wrong because the cluster autoscaler is explicitly stated to be adding nodes, so it is not disabled. Option C is wrong because if the node pool had reached its maximum size limit, the autoscaler would not add nodes, but the question says it does add nodes.

Option E is wrong because unhealthy nodes would be cordoned or drained by GKE's node auto-repair, but the autoscaler adds new nodes; the problem is pod scheduling, not node health.

342
MCQmedium

A development team is implementing a CI/CD pipeline using Cloud Build. They need to ensure that sensitive data, such as API keys, are never exposed in build logs. What is the best practice?

A.Use Cloud Build's encrypted variables or Secret Manager to pass secrets at build time.
B.Store the API keys in a separate file in the source repository and reference it in the build.
C.Use custom substitutions with default values and rely on Cloud Build's encryption.
D.Store the API keys as plain text in cloudbuild.yaml and restrict access to the file.
AnswerA

Secrets can be passed at runtime and are not logged.

Why this answer

Option A is correct because Cloud Build's encrypted variables and Secret Manager are designed to securely inject sensitive data like API keys at build time without exposing them in logs. Encrypted variables are stored in Cloud KMS and decrypted only during the build, while Secret Manager provides versioned secrets with fine-grained access control. This ensures secrets never appear in plaintext in the build configuration or output logs.

Exam trap

Cisco often tests the misconception that storing secrets in a separate file in the source repository or using file permissions is sufficient, when in fact any plaintext storage in version control or build configuration risks exposure in logs or repository history.

How to eliminate wrong answers

Option B is wrong because storing API keys in a separate file in the source repository still commits them to version control, which can be exposed via branch history, forks, or accidental public access. Option C is wrong because custom substitutions with default values are not inherently encrypted; they are plaintext in the build configuration and can appear in logs if not carefully managed, and Cloud Build does not automatically encrypt substitutions. Option D is wrong because storing API keys as plaintext in cloudbuild.yaml, even with restricted file access, leaves them visible in the build configuration and logs, and file permissions do not prevent exposure during build execution or in stored artifacts.

343
MCQhard

A developer deploys a Cloud Function (2nd gen) that processes messages from Pub/Sub. The function sometimes fails with 'Deadline Exceeded' for messages that take longer than 9 minutes. What should the developer do to handle these long-running messages without losing them?

A.Configure the function to retry on failure and set a maximum retry count.
B.Increase the Cloud Function timeout to 60 minutes.
C.Set the Pub/Sub subscription acknowledgment deadline to 10 minutes and implement a push endpoint that acknowledges after processing.
D.Use Cloud Tasks instead of Pub/Sub for asynchronous invocation.
AnswerC

Extending the ack deadline prevents the message from being redelivered before processing completes.

Why this answer

Option C is correct because Cloud Functions (2nd gen) have a maximum timeout of 60 minutes, but Pub/Sub push subscriptions have a default acknowledgment deadline of 10 seconds. By setting the acknowledgment deadline to 10 minutes and implementing a push endpoint that acknowledges after processing, the developer ensures the message is not redelivered prematurely while allowing the function up to 10 minutes to complete. This prevents 'Deadline Exceeded' errors for messages that take longer than 9 minutes without losing messages, as the subscription will wait for the acknowledgment before considering the message as failed.

Exam trap

Cisco often tests the misconception that increasing the Cloud Function timeout alone solves Pub/Sub push subscription issues, but the trap here is that the Pub/Sub subscription's acknowledgment deadline is independent of the function timeout and must be configured separately to prevent premature redelivery.

How to eliminate wrong answers

Option A is wrong because configuring retry on failure with a maximum retry count does not address the root cause of the timeout; it only retries the same failing invocation, which will still exceed the 9-minute limit and continue to fail. Option B is wrong because increasing the Cloud Function timeout to 60 minutes does not change the Pub/Sub push subscription's acknowledgment deadline (default 10 seconds), so the subscription will still consider the message as undelivered and redeliver it, causing duplicate processing and potential 'Deadline Exceeded' errors. Option D is wrong because Cloud Tasks is an alternative service for asynchronous invocation, but it does not solve the specific issue of Pub/Sub's acknowledgment deadline; the developer would still need to configure timeouts and retries appropriately, and the question explicitly asks for handling long-running messages without losing them within the Pub/Sub context.

344
MCQeasy

Refer to the exhibit. A developer is deploying a container to Cloud Run and receives the error shown. What is the most likely cause?

A.The container's health check is failing because the startup command is incorrect.
B.The PORT environment variable is not set correctly in the Cloud Run service configuration.
C.The container image does not exist in the specified registry.
D.The container is trying to listen on a privileged port (e.g., 80) instead of the expected port 8080.
AnswerD

Correct: The 'Permission denied' error when binding to port 8080 is misleading; the application likely attempts to bind to a lower port (like 80) that requires root, but Cloud Run runs as non-root.

Why this answer

Cloud Run requires containers to listen on the port specified by the PORT environment variable, which defaults to 8080. The error indicates the container is trying to bind to port 80, a privileged port, which is not allowed by the Cloud Run runtime sandbox. This mismatch causes the container to fail health checks and deployment.

Exam trap

Cisco often tests the misconception that the error is due to a missing image or incorrect health check, when in fact the container is failing to bind to the correct port because it ignores the PORT environment variable.

How to eliminate wrong answers

Option A is wrong because the error message explicitly states 'listen tcp :80: bind: permission denied', not a startup command failure; the command may be correct but the port is wrong. Option B is wrong because the PORT environment variable is set correctly by Cloud Run (default 8080), but the container is ignoring it and trying to use port 80 instead. Option C is wrong because the error is about port binding, not image retrieval; if the image were missing, the error would be 'Image not found' or 'Unauthorized'.

345
MCQmedium

A team uses Cloud Build to automatically deploy a Cloud Function on push to a repository. The build fails intermittently with 'PERMISSION_DENIED' when executing gcloud functions deploy. What is the most likely cause?

A.The region specified in the build configuration does not match the function's region.
B.The build configuration file has a syntax error.
C.The Cloud Source Repository does not have the correct triggers.
D.The Cloud Build service account lacks the necessary IAM permissions on the Cloud Functions API.
AnswerD

Cloud Build requires roles/cloudfunctions.developer to deploy functions.

Why this answer

Option A is correct because the Cloud Build service account needs the Cloud Functions Developer role. Option B is wrong because repository access is not the issue. Option C is wrong because region mismatch would give a different error.

Option D is wrong because build configuration syntax error would give a parsing error.

346
MCQhard

A multinational corporation runs a web application on Google Kubernetes Engine (GKE) with multiple microservices. They use Cloud Service Mesh (Anthos) for observability and security. The application uses gRPC for inter-service communication. Recently, they have observed increased latency and occasional timeouts between services in different regional clusters connected via Cloud VPN. The team wants to diagnose the issue and improve reliability. They suspect network round-trip time (RTT) is causing the latency, but they are not sure if the problem is at the application or network layer. Which tool should they use to pinpoint the exact cause?

A.Use Cloud Monitoring to view gRPC latency distributions and break down by service and method.
B.Use Cloud Trace to analyze distributed traces and identify bottlenecks in request paths.
C.Use VPC Flow Logs to examine network throughput and packet loss.
D.Use Cloud Logging to search for error logs in the application containers.
AnswerB

Cloud Trace captures end-to-end latency for each request.

Why this answer

Cloud Trace is the correct tool because it provides end-to-end distributed tracing, which can capture the exact latency contribution of each gRPC call across microservices and regional clusters. By analyzing trace spans, the team can determine whether the increased latency is due to network round-trip time (RTT) between clusters or due to application-level processing delays within a service.

Exam trap

The trap here is that candidates confuse aggregated metrics (Cloud Monitoring) with distributed tracing (Cloud Trace), failing to recognize that only tracing can break down latency per request hop across services and clusters.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring can show aggregated gRPC latency distributions but cannot break down latency into individual request hops or pinpoint whether the delay occurs at the network layer versus application layer. Option C is wrong because VPC Flow Logs capture network metadata (e.g., throughput, packet loss) but do not provide per-request application-level tracing or gRPC method-level insights needed to isolate the exact cause of latency in inter-service communication. Option D is wrong because Cloud Logging only surfaces error logs and does not provide latency breakdowns or distributed trace context to identify where time is spent across service boundaries.

347
Matchingmedium

Match each IAM role to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Can create and run Cloud Build builds

Can invoke Cloud Run services

Can list and read objects in a bucket

Can access secret versions

Can invoke Cloud Functions

Why these pairings

IAM roles define granular permissions for Google Cloud resources.

348
MCQmedium

A company is deploying a microservices application on Google Kubernetes Engine (GKE) and needs to ensure that services can discover each other without hardcoding IP addresses. Which approach should they use?

A.Use environment variables injected into each pod
B.Use a ConfigMap to store service endpoints
C.Use Cloud DNS with Kubernetes Services of type ClusterIP
D.Use Cloud Load Balancing to route traffic between services
AnswerC

GKE automatically creates DNS records for Services.

Why this answer

Option C is correct because Kubernetes Services of type ClusterIP provide a stable virtual IP and DNS name (via Cloud DNS) that resolves to the service's ClusterIP, enabling pods to discover each other without hardcoding IP addresses. GKE integrates with Cloud DNS to automatically register service DNS names in the format <service>.<namespace>.svc.cluster.local, allowing microservices to communicate reliably even if pods are rescheduled or IPs change.

Exam trap

The trap here is that candidates often confuse static configuration methods (environment variables or ConfigMaps) with dynamic service discovery, overlooking that Kubernetes' built-in DNS for ClusterIP services is the standard, automated solution for internal pod-to-pod communication.

How to eliminate wrong answers

Option A is wrong because environment variables injected into each pod are static and only set at pod creation time; they do not update dynamically when services are added, removed, or rescheduled, leading to stale references. Option B is wrong because a ConfigMap is a static key-value store for configuration data, not a dynamic service discovery mechanism; it cannot automatically update endpoints when pods scale or fail. Option D is wrong because Cloud Load Balancing is designed for external traffic distribution and does not provide internal service discovery or DNS-based resolution between microservices within the cluster.

349
MCQhard

A developer is integrating an App Engine standard environment app with Cloud Storage. The app needs to read objects from a bucket that is in a different project. The developer has granted the App Engine service account the Storage Object Viewer role on the bucket. However, the app still gets a 403 error when trying to read objects. What is the most likely cause?

A.The service account needs to be downloaded as a JSON key and added to the app configuration.
B.The bucket has uniform bucket-level access disabled, so ACLs may override IAM permissions.
C.The bucket is in a VPC Service Controls perimeter that blocks access from the App Engine service account.
D.The service account is from the app's project, not the bucket's project, and the bucket's IAM policy may not include the service account.
AnswerD

Cross-project IAM requires adding the service account from the source project to the bucket's IAM policy in the destination project.

Why this answer

Option A is correct because cross-project access requires the service account to be granted access at the bucket level in the source project, but the App Engine service account is in the same project as the app; the bucket is in another project, so the role must be assigned in the bucket's project. The error might persist if the bucket's IAM policy doesn't include the service account. Option B is wrong as no need for service account key.

Option C is wrong because VPC-SC could block, but that would be a different error. Option D is wrong because public access disabled is fine for explicit IAM.

350
Multi-Selecthard

A developer wants to ensure their Cloud Function is reliable. Which three testing practices should they follow? (Choose three.)

Select 3 answers
A.Write unit tests that mock external services
B.Use the Cloud Functions Framework to run the function locally
C.Write integration tests that use the Cloud Functions Emulator or a test project
D.Deploy the function to production for integration testing
E.Perform load testing using a Cloud Scheduler job that invokes the function frequently
AnswersA, B, C

Unit tests verify logic in isolation, increasing confidence in code correctness.

Why this answer

Option A is correct because unit tests should mock external services (like databases or APIs) to isolate the function's logic and avoid dependencies on live infrastructure. This ensures tests are fast, deterministic, and do not incur costs or side effects from actual service calls.

Exam trap

Cisco often tests the distinction between deployment strategies and testing practices, where candidates mistakenly treat production deployment or scheduler-based invocation as valid testing methods instead of using isolated, controlled environments.

351
MCQeasy

You need to monitor the CPU usage of a Compute Engine instance and trigger an alert when it exceeds 80% for 5 minutes. Which Google Cloud service should you use?

A.Cloud Debugger
B.Cloud Monitoring
C.Cloud Logging
D.Error Reporting
AnswerB

Cloud Monitoring provides metrics and alerting.

Why this answer

Cloud Monitoring (formerly Stackdriver Monitoring) is the correct service because it provides metrics, dashboards, and alerting policies for Compute Engine instances. You can create a metric-based alert condition that triggers when the CPU utilization metric exceeds 80% for a duration of 5 minutes, using the MQL or policy builder.

Exam trap

The trap here is that candidates confuse Cloud Logging with Cloud Monitoring because both are part of the Google Cloud operations suite, but Logging handles logs while Monitoring handles metrics and alerts.

How to eliminate wrong answers

Option A is wrong because Cloud Debugger is used to inspect the state of a running application in production without stopping it, not for monitoring CPU usage or triggering alerts. Option C is wrong because Cloud Logging collects and stores log data (e.g., application logs, system logs), but it does not natively support metric-based alerting on CPU utilization thresholds over time. Option D is wrong because Error Reporting aggregates and analyzes application errors (e.g., stack traces), not system-level metrics like CPU usage.

352
MCQeasy

You want to identify performance bottlenecks in your application's code, such as functions consuming excessive CPU. Which Google Cloud tool should you use?

A.Cloud Profiler
B.Cloud Monitoring
C.Cloud Trace
D.Cloud Logging
AnswerA

Cloud Profiler is designed to identify CPU and heap usage at the function level, pinpointing bottlenecks.

Why this answer

Cloud Profiler is the correct tool because it continuously gathers CPU and memory usage data from your application's functions and methods, presenting a flame graph or call graph that pinpoints which code paths consume the most resources. This allows you to identify performance bottlenecks like functions consuming excessive CPU without adding significant overhead to your production environment.

Exam trap

The trap here is that candidates confuse Cloud Monitoring's infrastructure-level CPU metrics with Cloud Profiler's application-level function profiling, leading them to choose Cloud Monitoring because it sounds like it monitors CPU usage.

How to eliminate wrong answers

Option B (Cloud Monitoring) is wrong because it provides metrics, dashboards, and alerts for infrastructure-level resources (e.g., CPU utilization of a VM or request latency), but it does not profile individual functions or code lines to identify CPU-intensive methods. Option C (Cloud Trace) is wrong because it focuses on latency analysis of request paths across distributed systems, showing how long each service or RPC call takes, not CPU consumption per function. Option D (Cloud Logging) is wrong because it collects and stores log entries from applications and services, enabling search and analysis of textual events, but it does not perform statistical sampling of CPU usage at the function level.

353
MCQmedium

A developer is deploying a Cloud Run service that needs to access a Cloud SQL instance. The service is deployed with the --no-allow-unauthenticated flag. What is the recommended way to grant the service access to the database?

A.Grant the Cloud SQL Client role to the Cloud Run service's runtime service account.
B.Create a service account key and store it in Secret Manager, then mount it as a volume.
C.Use the default Compute Engine service account and grant it the Cloud SQL Client role.
D.Enable the Cloud SQL Admin API and use Application Default Credentials from the Cloud Run service.
AnswerA

This directly grants the necessary permission via IAM.

Why this answer

The recommended way to grant a Cloud Run service access to a Cloud SQL instance is to grant the Cloud SQL Client role (roles/cloudsql.client) to the Cloud Run service's runtime service account. This role provides the necessary permissions (cloudsql.instances.connect and cloudsql.instances.get) to establish a secure connection via the Cloud SQL Auth Proxy or the Cloud SQL connector library. Using the runtime service account follows the principle of least privilege and avoids managing long-lived credentials.

Exam trap

Cisco often tests the misconception that you need to use a service account key or the default Compute Engine service account, when in fact Cloud Run's runtime service account is the correct identity to grant the Cloud SQL Client role to, avoiding the need for managing keys or using a shared default account.

How to eliminate wrong answers

Option B is wrong because creating a service account key and storing it in Secret Manager introduces a long-lived credential that must be rotated and managed, which is less secure and more complex than using the runtime service account's built-in identity. Option C is wrong because the default Compute Engine service account is not automatically associated with Cloud Run services; Cloud Run uses its own runtime service account, and using the Compute Engine default would violate least privilege and may not have the correct permissions. Option D is wrong because enabling the Cloud SQL Admin API alone does not grant the necessary connect permissions; the Cloud SQL Client role must be explicitly assigned to the service account, and Application Default Credentials (ADC) will only work if the underlying service account has the correct IAM role.

354
MCQmedium

Your organization runs a multi-region application on Cloud Run that serves an API. The API is consumed by clients worldwide. You want to reduce latency by routing users to the nearest regional Cloud Run service. Currently, all traffic goes to a single Cloud Run service in us-central1. You have set up additional Cloud Run services in europe-west1 and asia-east1. Each service is fronted by an external HTTPS load balancer with a regional backend. You want to use a single global anycast IP address that automatically directs users to the closest healthy backend. You also need to support HTTPS with a custom domain and a Google-managed certificate. What should you do?

A.Create a global external HTTPS load balancer with serverless NEGs pointing to each regional Cloud Run service, and attach a Google-managed certificate.
B.Enable anycast on the Cloud Run service by selecting the 'global' setting in the Cloud Run region selection.
C.Use Cloud DNS with geo-routing policy to point users to the appropriate regional load balancer IP based on their location.
D.Configure Cloud CDN in front of the Cloud Run services to cache responses at edge locations.
AnswerA

The global load balancer uses anycast IP and routes to the closest healthy backend, and serverless NEGs integrate with Cloud Run.

Why this answer

Option D is correct because an External HTTPS Load Balancer with a global backend service can route traffic to the closest backend via the Google Front Ends (GFE). The regional Cloud Run services can be added as backends with the appropriate network endpoint groups (NEGs). Option A is wrong because Cloud CDN caches content but does not route based on locality.

Option B is wrong because Cloud DNS with geo-routing can direct to different IPs, but that is not a single anycast IP. Option C is wrong because Cloud Run does not support anycast itself.

355
MCQmedium

An application running on Compute Engine instances behind a Cloud Load Balancer experiences intermittent 502 errors. The health checks pass but sometimes requests time out. What is the most likely cause?

A.The load balancer is misconfigured with wrong backend type.
B.The backend instances are running out of memory.
C.The SSL certificate has expired.
D.The connection draining timeout is too short.
AnswerD

Short connection draining timeout causes in-flight requests to be terminated, leading to 502 errors.

Why this answer

Option D is correct because if connection draining timeout is too short, in-flight requests are terminated causing 502 errors even if health check passes. Option A could cause but not specifically 502. Option B would cause SSL errors.

Option C would cause consistent failure.

356
Drag & Dropmedium

Drag and drop the steps to set up a Firestore database in native mode in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firestore native mode is selected during database creation, then data can be added.

357
MCQeasy

A developer needs to ensure that environment variables containing secrets are securely passed to a Cloud Function during deployment. Which approach should they use?

A.Store in source code
B.Use Cloud KMS
C.Use Secret Manager
D.Use runtime environment variables
AnswerC

Secret Manager provides secure storage, versioning, and fine-grained access control, and is the best practice for secrets.

Why this answer

Option C is correct because Secret Manager is the recommended Google Cloud service for securely storing and accessing secrets such as API keys, passwords, and certificates. It provides encryption at rest and in transit, fine-grained IAM access control, and versioning, allowing the Cloud Function to reference secrets by name at deployment time without exposing them in source code or configuration files.

Exam trap

The trap here is that candidates confuse Cloud KMS (a key encryption service) with Secret Manager (a secret storage service), or assume runtime environment variables are secure because they are not in source code, ignoring that they are stored in plain text in the deployment metadata.

How to eliminate wrong answers

Option A is wrong because storing secrets in source code exposes them in version control systems, violates security best practices, and increases the risk of accidental exposure. Option B is wrong because Cloud KMS is a key management service for encryption keys, not a secret storage service; it does not provide native secret versioning or direct integration with Cloud Functions for secret injection. Option D is wrong because runtime environment variables are set in plain text in the function configuration and can be viewed by anyone with access to the Cloud Console or deployment logs, offering no encryption or access control for secrets.

358
MCQmedium

A developer is troubleshooting a deployment on Cloud Run. The service fails with 'Container failed to start' error. The container image is built from a Dockerfile that uses CMD ['npm', 'start']. What is the most likely cause?

A.The Dockerfile uses CMD instead of ENTRYPOINT.
B.The container image is too large and exceeds the memory limit.
C.The application does not listen on the port specified by the PORT environment variable.
D.The Cloud Run service does not have permission to pull the image from Container Registry.
AnswerC

Cloud Run expects the container to listen on the port defined by the PORT env var (default 8080). If the app listens on another port, it fails.

Why this answer

Cloud Run requires the containerized application to listen on the port specified by the PORT environment variable (default 8080). If the application is hardcoded to listen on a different port (e.g., 3000) or does not read the PORT variable, Cloud Run's health checks and routing will fail, resulting in a 'Container failed to start' error. The CMD instruction is correct for starting npm, but the application must bind to the correct port.

Exam trap

Cisco often tests the misconception that CMD vs ENTRYPOINT is the root cause of container startup failures, when in reality the PORT environment variable mismatch is a far more frequent issue on Cloud Run.

How to eliminate wrong answers

Option A is wrong because both CMD and ENTRYPOINT can be used to start a container; Cloud Run does not require ENTRYPOINT over CMD, and this is not a common cause of startup failures. Option B is wrong because Cloud Run has a memory limit (e.g., 2 GiB default) but a large image size does not directly cause a 'Container failed to start' error; the error occurs during runtime, not during image pull or memory allocation. Option D is wrong because if Cloud Run lacked permission to pull the image, the error would be 'Permission denied' or 'Image pull failed', not 'Container failed to start', which indicates the container started but then failed.

359
MCQhard

Refer to the exhibit. A developer deployed a Cloud Run service as shown. Authenticated requests from another service in the same project using a service account receive 403 Forbidden. What is the most likely cause?

A.The Cloud Run service requires the 'allAuthenticatedUsers' member to be added
B.The --no-allow-unauthenticated flag blocks all requests including authenticated ones
C.The service account used to authenticate is not granted the roles/run.invoker role on the Cloud Run service
D.The container image was built without proper authentication headers
AnswerC

The IAM policy must grant invoker role to the service account.

Why this answer

Option C is correct because the Cloud Run service requires the IAM role `roles/run.invoker` on the service itself for any principal (including a service account) to invoke it. Since the service was deployed with `--no-allow-unauthenticated`, only explicitly granted principals can invoke it. The service account used for authentication lacks this role, causing the 403 Forbidden response.

Exam trap

Cisco often tests the misconception that `--no-allow-unauthenticated` blocks all requests, including authenticated ones, when in reality it only blocks unauthenticated requests and requires explicit IAM role assignment for authenticated principals.

How to eliminate wrong answers

Option A is wrong because adding `allAuthenticatedUsers` would allow any authenticated Google identity (including service accounts) to invoke the service, but the question states the service account is already authenticated yet receives 403, so the issue is not about allowing all authenticated users—it's about granting the specific invoker role to that service account. Option B is wrong because `--no-allow-unauthenticated` does not block authenticated requests; it only blocks unauthenticated requests. Authenticated requests are still processed but must be from a principal with the `roles/run.invoker` role.

Option D is wrong because authentication headers are not part of the container image; they are provided by the client at request time. The container image itself does not control IAM authorization.

360
MCQhard

A developer runs the above command to build and push a container image to Container Registry, but receives the error shown. The developer has the 'Cloud Build Editor' role on the project. What is the most likely cause of the error?

A.The Cloud Storage bucket for storing build artifacts does not exist.
B.The developer's user account has been revoked access to the project.
C.The Cloud Build service account has not been enabled or does not have permission to act on behalf of the user.
D.The developer does not have the 'cloudbuild.builds.create' permission because the Cloud Build Editor role does not include it.
AnswerC

The Cloud Build service account needs to be enabled and have appropriate roles.

Why this answer

The error occurs because the Cloud Build service account (typically the Compute Engine default service account or a user-specified service account) lacks the necessary permissions to push the container image to Container Registry. Even though the developer has the 'Cloud Build Editor' role, Cloud Build itself needs a service account with appropriate IAM roles (e.g., Storage Object Admin) to write to the registry. The error is not about the developer's direct permissions but about the service account that Cloud Build uses to execute the build and push.

Exam trap

Cisco often tests the distinction between user-level permissions and service account permissions; the trap here is that candidates assume the user's role (Cloud Build Editor) is sufficient for the entire build process, ignoring that Cloud Build acts on behalf of a service account that requires separate IAM roles.

How to eliminate wrong answers

Option A is wrong because Cloud Build automatically creates the default Cloud Storage bucket (e.g., [PROJECT_ID]_cloudbuild) if it does not exist, and the error message would be different (e.g., 'bucket not found') if that were the issue. Option B is wrong because if the developer's user account had been revoked, they would not be able to run the command at all, and the error would likely be an authentication or authorization failure (e.g., 403 or 401), not a service account permission error. Option D is wrong because the 'Cloud Build Editor' role does include the 'cloudbuild.builds.create' permission; that is a core permission of the role, so the developer can submit builds.

361
MCQeasy

A company is designing a microservices architecture on Google Kubernetes Engine (GKE). They want to ensure zero-downtime deployments. Which strategy should they use?

A.Recreate
B.Blue/green deployment
C.Rolling update
D.Canary deployment
AnswerB

Blue/green deployment runs two versions simultaneously and switches traffic instantly, providing zero downtime.

Why this answer

Blue/green deployment is the correct strategy for achieving zero-downtime deployments on GKE because it runs two identical environments (blue and green) and switches traffic instantly via a Kubernetes Service or Ingress. This eliminates any period where the application is unavailable, as the old version remains live until the new version is fully ready and traffic is cut over. GKE's LoadBalancer or Ingress controller can route all traffic to the new environment with a single configuration update, ensuring no requests are dropped.

Exam trap

The trap here is that candidates confuse 'zero-downtime' with 'minimal downtime' and choose Rolling update, not realizing that Rolling update can still cause brief unavailability if the old pods are terminated before the new ones are fully ready, whereas Blue/green ensures no overlap of traffic to an unready version.

How to eliminate wrong answers

Option A is wrong because Recreate terminates all existing pods before creating new ones, causing a period of downtime while the new pods start up. Option C is wrong because Rolling update, while minimizing downtime, can still cause brief periods of unavailability if health checks fail or if the update is not configured with proper surge and maxUnavailable settings, and it does not guarantee zero-downtime in all scenarios. Option D is wrong because Canary deployment is designed for gradual traffic shifting and risk mitigation, not for zero-downtime deployments; it intentionally routes a small percentage of traffic to the new version, which can still cause partial downtime or errors if the canary fails, and it requires manual or automated traffic management to complete the rollout.

362
MCQeasy

A developer wants to deploy a Compute Engine instance using Terraform. They want to run a startup script to install software. How should they provide the script?

A.Use the metadata block with key 'startup-script' and the script content as value.
B.Use a cloud-init configuration file passed via user-data metadata.
C.Use the user-data metadata key with the script content.
D.Use the gcloud compute instances create command with --metadata-from-file flag.
AnswerA

This is the standard way to provide startup scripts in Terraform for GCP.

Why this answer

Option A is correct because Terraform's metadata block with startup-script key is standard. Option B is wrong because cloud-init is not native to Compute Engine. Option C is wrong because compute startup scripts are not in user-data.

Option D is wrong because gcloud compute instances create with --metadata-from-file is not Terraform.

363
MCQmedium

Refer to the exhibit. Which schema or index change would most improve this query?

A.Create a primary key on CustomerID
B.Rewrite the query as a subquery
C.Create a secondary index on Orders.CustomerID and Customers.CustomerID
D.Increase the number of Spanner nodes
AnswerC

Secondary indexes speed up joins by enabling index seeks instead of full scans.

Why this answer

Option C is correct because creating secondary indexes on both `Orders.CustomerID` and `Customers.CustomerID` allows Spanner to perform an index-based join without scanning the full base tables. Spanner uses distributed, strongly consistent secondary indexes to avoid full table scans, which dramatically reduces latency and resource consumption for join queries. Without these indexes, Spanner must perform a broadcast join or a full table scan on both tables, which is inefficient at scale.

Exam trap

Cisco often tests the misconception that adding nodes or rewriting queries can fix performance issues, when the real bottleneck is the lack of appropriate secondary indexes for join and filter operations in a distributed database like Spanner.

How to eliminate wrong answers

Option A is wrong because a primary key on `CustomerID` already exists implicitly or explicitly in most table designs, and adding another primary key would not improve query performance for a join on `CustomerID`; Spanner does not use primary keys for join acceleration in the same way as secondary indexes. Option B is wrong because rewriting the query as a subquery does not change the underlying access pattern; Spanner still needs to scan tables or use indexes, and a subquery can even introduce additional overhead without any index optimization. Option D is wrong because increasing the number of Spanner nodes adds compute and storage capacity but does not directly improve query performance for a specific join; it may even increase latency due to more distributed coordination unless the query is already I/O-bound and the additional nodes are used to parallelize scans, which still requires indexes to avoid full table scans.

364
MCQeasy

A developer is building a microservices application on Cloud Run. One service needs to make authenticated HTTP requests to another Cloud Run service in the same project. What is the best practice for authentication?

A.Use API keys
B.Use Cloud Run's built-in service-to-service authentication with the default compute service account
C.Use OAuth2 client credentials
D.Use IAM roles on the target service and call it with the appropriate identity token from the metadata server
AnswerD

This is the recommended approach: use a service account with the roles/run.invoker role on the target service and obtain an identity token from the metadata server.

Why this answer

Option D is correct because Cloud Run service-to-service authentication is best done using an identity token from the metadata server and setting IAM on the target service. Option A is not recommended as API keys are for external clients. Option B uses OAuth2 client credentials which are for external applications.

Option C uses the default compute service account which may have broader permissions than needed.

365
MCQeasy

A developer wants to ensure that error logs from their Java application are automatically captured and grouped in Cloud Error Reporting. What is the recommended approach?

A.Configure a log sink to Error Reporting
B.Export logs to BigQuery and then import to Error Reporting
C.Instrument the application with the Error Reporting client library
D.Use a custom log-based metric to count errors
AnswerC

The client library automatically captures and groups errors.

Why this answer

Option C is correct because the Error Reporting client library directly integrates with the application to automatically capture and group error logs, sending them to Cloud Error Reporting without requiring additional infrastructure. This is the recommended approach as it provides structured error reporting with automatic grouping, stack trace analysis, and real-time notifications.

Exam trap

Cisco often tests the misconception that log sinks can route directly to Error Reporting, but in reality, log sinks only support specific destinations like BigQuery, Pub/Sub, Cloud Storage, and Logging buckets, not Error Reporting.

How to eliminate wrong answers

Option A is wrong because configuring a log sink to Error Reporting is not a supported operation; log sinks route logs to destinations like BigQuery, Pub/Sub, or Cloud Storage, not directly to Error Reporting. Option B is wrong because exporting logs to BigQuery and then importing to Error Reporting introduces unnecessary complexity and latency, and Error Reporting does not have an import mechanism from BigQuery. Option D is wrong because a custom log-based metric to count errors only tracks the count of errors, not the actual error details, stack traces, or grouping required for Error Reporting.

366
Multi-Selectmedium

A company is integrating a legacy application with Google Cloud using Cloud VPN. The application must be accessed from multiple remote offices over the internet. Which TWO technologies should the company use to ensure secure and reliable connectivity? (Choose TWO.)

Select 2 answers
A.Cloud Interconnect
B.Private Google Access
C.Cloud NAT
D.Direct Peering
E.Cloud VPN
AnswersA, E

Provides dedicated, low-latency connections, ideal for reliable access.

Why this answer

Option A (Cloud VPN) is correct for site-to-site VPN connectivity. Option C (Cloud Interconnect) is correct for dedicated, reliable connectivity. Option B (Direct Peering) is not recommended for multi-office since it's for on-prem to Google, not hub-spoke.

Option D (Cloud NAT) is for outbound internet. Option E (Private Google Access) is for on-prem to Google APIs.

367
Multi-Selecthard

A company's application on GKE is experiencing performance degradation. They want to use Google Cloud operations tools to identify the root cause. Which THREE tools should they use in combination?

Select 3 answers
A.Cloud Trace
B.Cloud Monitoring
C.Cloud Profiler
D.Cloud Debugger
E.Cloud Logging
AnswersA, B, E

Cloud Trace enables distributed tracing to identify latency bottlenecks.

Why this answer

Cloud Trace is correct because it provides distributed tracing capabilities that allow you to analyze latency across microservices in a GKE application. By collecting trace data from each request as it propagates through services, Cloud Trace helps identify performance bottlenecks, such as slow downstream calls or inefficient database queries, which are common causes of performance degradation.

Exam trap

Cisco often tests the distinction between tools that diagnose performance (Trace, Monitoring, Logging) versus tools that debug code (Debugger) or profile resource usage (Profiler), leading candidates to include Profiler or Debugger when only performance monitoring tools are needed.

368
MCQeasy

A team is developing a mobile backend API on Google Cloud. They are using Cloud Endpoints to manage API authentication and quotas. They want to monitor API performance including request count, latency, and error rates. They have enabled Cloud Endpoints logging but are not seeing detailed performance metrics in Cloud Monitoring. What should they do?

A.Deploy a custom metrics exporter in the mobile app.
B.Enable Cloud Monitoring integration in Cloud Endpoints configuration.
C.Install the Ops Agent on the API backend instances.
D.Use Cloud Logging to parse logs and create metric counters.
AnswerB

This sends detailed API metrics to Cloud Monitoring without custom coding.

Why this answer

Cloud Endpoints uses an Extensible Service Proxy (ESP) or Envoy proxy to intercept API calls and report metrics to Cloud Monitoring. By default, Endpoints logs requests but does not send detailed performance metrics (e.g., latency, request count, error rates) to Cloud Monitoring unless you explicitly enable the Cloud Monitoring integration in the Endpoints service configuration. Option B is correct because enabling this integration configures the proxy to emit those metrics directly to Cloud Monitoring.

Exam trap

The trap here is that candidates confuse Cloud Endpoints logging (which records individual request logs) with Cloud Monitoring metrics (which aggregate performance data), and they incorrectly assume that enabling logs automatically populates Cloud Monitoring dashboards.

How to eliminate wrong answers

Option A is wrong because custom metrics exported from the mobile app would measure client-side performance, not the backend API performance that Cloud Endpoints monitors. Option C is wrong because the Ops Agent collects OS-level and application metrics from VM instances, but it does not integrate with Cloud Endpoints' proxy to capture API-specific metrics like request count, latency, or error rates. Option D is wrong because while you could parse logs to create metric counters, this approach is indirect, adds latency, and misses the built-in, low-latency metric pipeline that Cloud Endpoints provides when integrated with Cloud Monitoring.

369
MCQeasy

A developer wants to allow a Compute Engine instance to send messages to a Pub/Sub topic. What is the recommended way to grant permissions?

A.Generate an API key for the instance and include it in HTTP requests.
B.Create a service account and assign the Pub/Sub Publisher role; attach the service account to the instance.
C.Use the instance's default Compute Engine service account and assign the Pub/Sub Publisher role to it.
D.Store the service account key file directly on the instance.
AnswerC

The default service account is convenient and secure.

Why this answer

Option B is correct because using the default Compute Engine service account and assigning the Pub/Sub Publisher role is the simplest and recommended approach. Option A works but is less efficient. Option C is wrong because API keys are not for service-to-service auth.

Option D is insecure.

370
MCQmedium

A company is running a critical application on Google Kubernetes Engine (GKE) that stores state in a Cloud SQL PostgreSQL instance. The application's latency-sensitive frontend needs to read data from Cloud SQL with minimal latency. The team wants to reduce read latency and offload read traffic from the primary database. What should they do?

A.Migrate the database to Cloud Spanner for better read scalability.
B.Use Memorystore for Redis as a cache layer between the application and Cloud SQL.
C.Create a read replica of the Cloud SQL instance and direct read traffic to the replica.
D.Use Cloud CDN to cache database responses.
AnswerC

Read replicas handle read-only queries, reducing load on the primary and improving read latency.

Why this answer

Option C is correct because creating a read replica of the Cloud SQL PostgreSQL instance allows read-heavy, latency-sensitive traffic to be offloaded from the primary database. The replica handles SELECT queries independently, reducing load on the primary and lowering read latency for the frontend, as replicas are typically in the same region and can serve data with minimal additional delay.

Exam trap

Cisco often tests the misconception that caching (Memorystore or CDN) is the only way to reduce read latency, but the question specifically asks to offload read traffic from the primary database, which a read replica achieves directly without introducing cache coherence complexity.

How to eliminate wrong answers

Option A is wrong because migrating to Cloud Spanner would introduce unnecessary complexity and cost for a workload that only needs read offloading; Spanner is designed for global, strongly consistent transactions, not simply reducing read latency from a single-region PostgreSQL instance. Option B is wrong because Memorystore for Redis adds a caching layer that requires application code changes to manage cache invalidation and consistency, and it does not directly offload read traffic from Cloud SQL—it caches data, but stale reads can occur if not carefully managed. Option D is wrong because Cloud CDN caches static content at edge locations and is not designed to cache dynamic database query responses; it would not reduce read latency for application-level database reads and would introduce staleness issues.

371
MCQhard

An organization wants to create custom metrics based on application logs to track business KPIs. They need to ensure these metrics are available for alerting within minutes. Which approach should they use?

A.Export logs to BigQuery and use scheduled queries
B.Use OpenTelemetry collector to send metrics directly
C.Use Cloud Functions to parse logs and push custom metrics via API
D.Write logs to Cloud Logging and use log-based metrics
AnswerD

Log-based metrics are designed for this use case with low latency.

Why this answer

Log-based metrics in Cloud Logging allow you to define custom metrics from log entries using filters or regular expressions. These metrics are ingested and available for alerting within minutes because they are processed in near real-time by the Cloud Monitoring backend, without requiring external data pipelines or custom code.

Exam trap

Cisco often tests the distinction between extracting metrics from logs (log-based metrics) versus sending metrics directly (OpenTelemetry or custom API), and candidates mistakenly choose direct metric collection when the requirement explicitly states the source is application logs.

How to eliminate wrong answers

Option A is wrong because exporting logs to BigQuery and using scheduled queries introduces latency of at least several minutes (due to export delays and query scheduling), making it unsuitable for near-real-time alerting. Option B is wrong because the OpenTelemetry collector sends metrics directly, but the question requires metrics derived from application logs, not direct metric instrumentation; using OpenTelemetry would bypass the log source entirely. Option C is wrong because using Cloud Functions to parse logs and push custom metrics via API adds unnecessary complexity and latency (function cold starts, API call overhead), and is less reliable than the native log-based metrics pipeline which is designed for low-latency metric extraction.

372
MCQmedium

A team notices that their application's latency has increased after a recent deployment. They suspect a specific code path is slower. Which Google Cloud tool should they use to identify the most time-consuming functions in their code?

A.Cloud Debugger
B.Cloud Trace
C.Cloud Profiler
D.Cloud Logging
AnswerC

Profiler shows the most time-consuming functions in production.

Why this answer

Cloud Profiler is the correct tool because it performs continuous, low-overhead profiling of CPU and memory usage, pinpointing the specific functions or methods that consume the most resources. Unlike tracing, which focuses on request latency across services, profiling identifies the most time-consuming code paths within a single application process, making it ideal for diagnosing a slow code path after a deployment.

Exam trap

The trap here is that candidates often confuse Cloud Trace (which shows request-level latency) with Cloud Profiler (which shows function-level CPU/memory consumption), leading them to choose Trace when the question specifically asks for identifying the most time-consuming functions within a code path.

How to eliminate wrong answers

Option A is wrong because Cloud Debugger is designed for inspecting application state at a specific point in time (e.g., viewing variables and stack traces) without stopping the app, but it does not measure or aggregate function execution times to identify the slowest code paths. Option B is wrong because Cloud Trace provides distributed tracing to measure end-to-end request latency across services, but it does not drill down into individual function-level execution time within a single service; it focuses on spans and requests, not code profiling. Option D is wrong because Cloud Logging collects and stores log data for analysis and alerting, but it does not automatically instrument or measure function execution times; it requires manual log statements and cannot identify the most time-consuming functions without custom instrumentation.

373
MCQeasy

A company wants to trigger a Cloud Run job every time a new file is uploaded to a Cloud Storage bucket. Which integration should be used?

A.Use Cloud Pub/Sub notifications from the bucket and create a push subscription to the Cloud Run job.
B.Use Cloud Scheduler to poll the bucket and invoke the Cloud Run job every minute.
C.Use Eventarc to create a trigger that routes Cloud Storage events to the Cloud Run job.
D.Use Cloud Functions to listen for storage events and then call the Cloud Run job via HTTP.
AnswerC

Eventarc listens to events and delivers them to Cloud Run jobs.

Why this answer

Option C is correct because Eventarc can route Cloud Storage events (like object finalize) to Cloud Run jobs via CloudEvents. Option A is wrong because Cloud Scheduler is time-based, not event-based. Option B is wrong because Cloud Functions can be triggered by storage events, but the question asks for Cloud Run job.

Option D is wrong because Pub/Sub alone cannot directly trigger a Cloud Run job without a subscription or push endpoint.

374
Multi-Selecthard

Which THREE are valid methods for authenticating a user or service when deploying a Cloud Function via the Google Cloud SDK? (Choose 3)

Select 3 answers
A.Using an API key
B.Using a user account with 'gcloud auth login'
C.Using an OAuth 2.0 client ID
D.Using an access token obtained from the Google Cloud Console
E.Using a service account key file with 'gcloud auth activate-service-account'
AnswersB, D, E

Valid: User accounts can authenticate via OAuth 2.0.

Why this answer

Option B is correct because 'gcloud auth login' authenticates a user account via OAuth 2.0, which is a valid method for deploying Cloud Functions. The Google Cloud SDK uses the user's credentials to authorize API calls, including deployments, making this a standard authentication approach for interactive or user-driven workflows.

Exam trap

Cisco often tests the distinction between authentication methods that are valid for SDK commands versus those meant for other contexts, such as API keys for simple API access or OAuth client IDs for application flows, leading candidates to mistakenly select them as valid for gcloud deployments.

375
MCQhard

Refer to the exhibit. You are analyzing application logs and notice that some logs contain a 'trace' field. What does this field enable?

A.It is used by Cloud Monitoring to correlate logs with metrics
B.It is used to export the log to Cloud Trace
C.It links the log entry to a specific Cloud Trace trace for end-to-end latency analysis
D.It indicates that the log was generated by the Cloud Trace agent
AnswerC

The trace field allows you to view the request's entire trace in Cloud Trace.

Why this answer

The 'trace' field in a log entry contains the trace ID and span ID that link the log to a specific Cloud Trace trace. This enables end-to-end latency analysis by correlating log entries with the distributed trace that generated them, allowing you to see the full request path across services.

Exam trap

Cisco often tests the distinction between 'correlating logs with metrics' (which is done via resource labels or custom metrics) and 'linking logs to a specific trace' (which is the exact purpose of the trace field), so candidates mistakenly choose A because they confuse correlation with linking.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring uses metrics and logs separately; the 'trace' field does not correlate logs with metrics—that correlation is done via resource labels or metric descriptors, not the trace field. Option B is wrong because the 'trace' field does not trigger log export to Cloud Trace; logs are exported via sinks or agents, and Cloud Trace ingests trace data directly from instrumented applications. Option D is wrong because the 'trace' field indicates a link to an existing trace, not that the log was generated by the Cloud Trace agent; logs can be written by any source and still include a trace ID if the application propagates it.

Page 4

Page 5 of 7

Page 6

All pages